Horizon Installation

Horizon Installation
VMware Horizon 2106

You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
©
Copyright 2021 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc. 2
Contents
Horizon Installation 7
1 System Requirements for Server Components 8

Horizon Connection Server Requirements 8
Hardware Requirements for Horizon Connection Server 9
Supported Operating Systems for Horizon Connection Server 9
Virtualization Software Requirements for Horizon Connection Server 9
Network Requirements for Replicated Horizon Connection Server Instances 10
Horizon Console Requirements 10
2 System Requirements for Guest Operating Systems 11

Requirements and Considerations for Horizon Agent 11
Remote Display Protocol and Software Support 11
3 Preparing Active Directory 13

Configuring Domains and Trust Relationships 13
Trust Relationships and Domain Filtering 15
Creating an OU for Remote Desktops 15
Creating OUs and Groups for Kiosk Mode Client Accounts 16
Creating Groups for Users 16
Creating a User Account for vCenter Server 16
Create a User Account for Instant-Clone Operations 16
Configure the Restricted Groups Policy 17
Using VMware Horizon Group Policy Administrative Template Files 18
Prepare Active Directory for Smart Card Authentication 18
Add UPNs for Smart Card Users 19
Add the Root Certificate to Trusted Root Certification Authorities 19
Add an Intermediate Certificate to Intermediate Certification Authorities 20
Add the Root Certificate to the Enterprise NTAuth Store 21
Disable Weak Ciphers in SSL/TLS 21
4 Installing Horizon Connection Server 23

Installing the Horizon Connection Server Software 23
Installation Prerequisites for Horizon Connection Server 24
Install Horizon Connection Server with a New Configuration 25
Install Horizon Connection Server Silently 29
Silent Installation Properties for a Horizon Connection Server Standard Installation 31
Install a Replicated Instance of Horizon Connection Server 32
VMware, Inc. 3
Install a Replicated Instance of Horizon Connection Server Silently 36

Silent Installation Properties for a Replicated Instance of Horizon Connection Server 38
Unified Access Gateway Appliance Advantages over VPN 39
Horizon LDAP 41
Firewall Rules for Horizon Connection Server 42
Reinstall Horizon Connection Server with a Backup Configuration 43
Microsoft Windows Installer Command-Line Options 44
Uninstalling VMware Horizon Components Silently by Using MSI Command-Line Options 47
5 Configuring TLS Certificates for VMware Horizon Servers 49

Understanding TLS Certificates for VMware Horizon Servers 50
Overview of Tasks for Setting Up TLS Certificates 51
Obtaining a Signed TLS Certificate from a CA 52
Obtain a Signed Certificate from a Windows Domain or Enterprise CA 53
Configure Horizon Connection Server to Use a New TLS Certificate 54
Add the Certificate Snap-In to MMC 55
Import a Signed Server Certificate into a Windows Certificate Store 56
Modify the Certificate Friendly Name 57
Import a Root Certificate and Intermediate Certificates into a Windows Certificate Store
58
Configure Client Endpoints to Trust Root and Intermediate Certificates 59
Configure Horizon Client for Mac to Trust Root and Intermediate Certificates 60
Configure Horizon Client for iOS to Trust Root and Intermediate Certificates 61
Configuring Certificate Revocation Checking on Server Certificates 61
Configure the PCoIP Secure Gateway to Use a New TLS Certificate 63
Verify That the Server Name Matches the PSG Certificate Subject Name 64
Configure a PSG Certificate in the Windows Certificate Store 64
Set the PSG Certificate Friendly Name in the Windows Registry 66
Force a CA-Signed Certificate to Be Used for Connections to the PSG 67
Setting Horizon Console to Trust a vCenter Server Certificate 68
Accept the Thumbprint of a Default TLS Certificate 68
Benefits of Using TLS Certificates Signed by a CA 69
Update the Certificates on a Connection Server Instance 70
Troubleshooting Certificate Issues on Horizon Connection Server 71
6 Configuring VMware Horizon for the First Time 73

Configuring an Instant Clone Domain Administrator in Active Directory 73
Configuring User Accounts for vCenter Server 74
Configure a vCenter Server User for VMware Horizon 74
Privileges Required for the vCenter Server User Without Instant Clones 75
Privileges Required for the vCenter Server User With Instant Clones 76
Configuring Horizon Connection Server for the First Time 78
VMware, Inc. 4
Horizon Console and Horizon Connection Server 78

Log In to Horizon Console 79
Install the Perpetual Product License Key in Horizon Console 80
Enabling VMware Horizon for Subscription Licenses and Horizon Control Plane Services
81
Add vCenter Server Instances to VMware Horizon 82
Register Gateways in Horizon Console 84
Add an Instant-Clone Domain Administrator 85
Configuring View Storage Accelerator for vCenter Server 85
Concurrent Operations Limits for vCenter Server 87
Setting a Concurrent Power Operations Rate to Support Remote Desktop Logon Storms
88
Accept the Thumbprint of a Default TLS Certificate 88
Configuring Horizon Client Connections 90
Configure the Secure Tunnel and PCoIP Secure Gateway 91
Configure the Blast Secure Gateway 92
Set the External URLs for Horizon Connection Server Instances 93
Give Preference to DNS Names When Horizon Connection Server Returns Address
Information 94
Allow HTML Access Through a Load Balancer 95
Allow HTML Access Through a Gateway 96
Configure the VMware Horizon Web Portal Page for End Users 96
Replacing Default Ports for VMware Horizon Services 100
Replace the Default HTTP Ports or NICs for Horizon Connection Server Instances 100
Replace the Default Ports or NICs for the PCoIP Secure Gateway on Horizon Connection
Server Instances 102
Replace the Default Control Port for PCoIP Secure Gateway on Connection Server Instances
103
Change the Port Number for HTTP Redirection to Connection Server 103
Prevent HTTP Redirection for Client Connections to Connection Server 104
Enable Remote Access to VMware Horizon Performance Counters on Connection Servers
105
Sizing Windows Server Settings to Support Your Deployment 105
Sizing Memory for Horizon Connection Server 105
Configure the System Page-File Settings 106
7 Deploying VMware Horizon on VMware Cloud on AWS 107
8 Deploying VMware Horizon on Azure VMware Solution 108
9 Deploying VMware Horizon on VMware Cloud on Dell EMC 109
10 Configuring Event Reporting in Horizon Console 110
VMware, Inc. 5
Add a Database and Database User for VMware Horizon Events in Horizon Console 110
Prepare an SQL Server Database for Event Reporting in Horizon Console 111
Prepare a PostgreSQL Database for Event Reporting in Horizon Console 112
Configure the Event Database in Horizon Console 112
SSL Connection to Event Database 115
Configure Event Logging to File or Syslog Server in Horizon Console 115
11 Installing VMware Horizon in an IPv6 Environment 117

Setting Up VMware Horizon in an IPv6 Environment 117
Supported vSphere, Database, and Active Directory Versions in an IPv6 Environment 118
Supported Operating Systems for VMware Horizon Servers in an IPv6 Environment 118
Supported Windows Operating Systems for Desktops and RDS Hosts in an IPv6 Environment
118
Supported Clients in an IPv6 Environment 119
Supported Remoting Protocols in an IPv6 Environment 119
Supported Authentication Types in an IPv6 Environment 119
Other Supported Features in an IPv6 Environment 120
12 Installing VMware Horizon in FIPS Mode 123

Overview of Setting Up VMware Horizon in FIPS Mode 123
System Requirements for FIPS Mode 124
VMware, Inc. 6
®
Horizon Installation explains how to install the VMware Horizon server, agent, and client
components.
Intended Audience
This information is intended for anyone who wants to install VMware Horizon. The information is
written for experienced Windows or Linux system administrators who are familiar with virtual
machine technology and datacenter operations.
VMware, Inc. 7
System Requirements for Server
Components 1
Hosts that run VMware Horizon server components must meet specific hardware and software
requirements.
This chapter includes the following topics:
n Horizon Connection Server Requirements
n Horizon Console Requirements
Horizon Connection Server Requirements

Horizon Connection Server acts as a broker for client connections by authenticating and then
directing incoming user requests to the appropriate remote desktops and applications. Horizon
Connection Server has specific hardware, operating system, installation, and supporting software
requirements.
n Hardware Requirements for Horizon Connection Server

You must install all Horizon Connection Server installation types, including standard, replica,
and enrollment server installations, on a dedicated physical or virtual machine that meets
specific hardware requirements.
n Supported Operating Systems for Horizon Connection Server

You must install Horizon Connection Server on a supported Windows Server operating
system.
n Virtualization Software Requirements for Horizon Connection Server

If you choose to deploy VMware Horizon in a VMware virtualized environment some
minimum version of the virtualization software is required.
n Network Requirements for Replicated Horizon Connection Server Instances

When installing replicated Horizon Connection Server instances, you must usually configure
the instances in the same physical location and connect them over a high-performance LAN.
VMware, Inc. 8
Hardware Requirements for Horizon Connection Server

You must install all Horizon Connection Server installation types, including standard, replica, and
enrollment server installations, on a dedicated physical or virtual machine that meets specific
hardware requirements.
Table 1-1. Horizon Connection Server Hardware Requirements
Hardware Component Required Recommended
Processor Pentium IV 2.0GHz processor or 4 CPUs

higher
Network Adapter 100Mbps NIC 1Gbps NICs
Memory 4GB RAM or higher At least 10GB RAM for deployments of 50 or

more remote desktops
These requirements also apply to replica Horizon Connection Server instances that you install for
high availability or external access.
Important The physical or virtual machine that hosts Horizon Connection Server must have an IP
address that does not change. In an IPv4 environment, configure a static IP address. In an IPv6
environment, machines automatically get IP addresses that do not change.
Supported Operating Systems for Horizon Connection Server

You must install Horizon Connection Server on a supported Windows Server operating system.
For a list of supported Windows Server operating systems, see the VMware Knowledge Base
(KB) article https://kb.vmware.com/s/article/78652.
Virtualization Software Requirements for Horizon Connection Server

If you choose to deploy VMware Horizon in a VMware virtualized environment some minimum
version of the virtualization software is required.
If you are using vSphere, you must use a supported version of vSphere ESX/ESXi hosts and
vCenter Server.
For details about which versions of Horizon are compatible with which versions of vCenter Server
and ESXi, see the VMware Product Interoperability Matrix at http://www.vmware.com/resources/
compatibility/sim/interop_matrix.php.
VMware, Inc. 9
Network Requirements for Replicated Horizon Connection Server

Instances
When installing replicated Horizon Connection Server instances, you must usually configure the
instances in the same physical location and connect them over a high-performance LAN.
Important To use a group of replicated Connection Server instances across a WAN, MAN
(metropolitan area network), or other non-LAN, in scenarios where a Horizon deployment needs
to span data centers, you must use the Cloud Pod Architecture feature. For more information,
see the Administering Cloud Pod Architecture in Horizon document.
Horizon Console Requirements

Administrators use Horizon Console to configure Horizon Connection Server, deploy and manage
remote desktops and applications, control user authentication, initiate and examine system
events, and carry out analytical activities. Client systems that run Horizon Console must meet
certain requirements.
Horizon Console is a web-based application that is installed when you install Connection Server.
You can access and use Horizon Console with the following web browsers:
n Internet Explorer 11
n Firefox (latest versions)
n Chrome (latest versions)
n Safari (latest versions)
n Microsoft Edge (Windows 10)
The computer on which you launch Horizon Console must trust the root and intermediate
certificates of the server that hosts Connection Server. The supported browsers already contain
certificates for all of the well-known certificate authorities (CAs). If your certificates come from a
CA that is not well known, you must follow the instructions in Configure Client Endpoints to Trust
Root and Intermediate Certificates.
To display text properly, Horizon Console requires Microsoft-specific fonts. If your web browser
runs on a non-Windows operating system such as Linux, UNIX, or Mac, make sure that Microsoft-
specific fonts are installed on your computer.
Currently, the Microsoft web site does not distribute Microsoft fonts, but you can download them
from independent web sites.
VMware, Inc. 10
System Requirements for Guest
Operating Systems 2
Systems running Horizon Agent must meet certain hardware and software requirements.
n Requirements and Considerations for Horizon Agent
n Remote Display Protocol and Software Support
Requirements and Considerations for Horizon Agent

The Horizon Agent component assists with session management, single sign-on, device
redirection, and other features. You must install Horizon Agent on all virtual machines, physical
systems, and RDS hosts.
The types and editions of the supported guest operating system depend on the Windows
version.
For a list of Windows 10 guest operating systems, see the VMware Knowledge Base (KB) article
https://kb.vmware.com/s/article/78714.
For Windows operating systems, other than Windows 10, see the VMware Knowledge Base (KB)
article https://kb.vmware.com/s/article/78715.
For enhanced security, VMware recommends configuring cipher suites to remove known
vulnerabilities. For instructions on how to set up a domain policy on cipher suites for Windows
machines that run Horizon Agent, see Disable Weak Ciphers in SSL/TLS.
Remote Display Protocol and Software Support

Remote display protocols and software provide access to remote desktops and applications. The
remote display protocol used depends on the type of client device, whether you are connecting
to a remote desktop or a remote application, and how the administrator configures the desktop
or application pool.
For information about which desktop operating systems support specific remote display protocol
features, see the Horizon Architecture Planning document.
VMware, Inc. 11
For information about which client devices support specific remote display protocol features, go
to https://docs.vmware.com/en/VMware-Horizon-Client/index.html.
VMware, Inc. 12
Preparing Active Directory
3
VMware Horizon uses your existing Microsoft Active Directory infrastructure for user
authentication and management. You must perform certain tasks to prepare Active Directory for
use with VMware Horizon.
VMware Horizon supports certain Active Directory Domain Services (AD DS) domain functional
levels. For more information, see the VMware Knowledge Base (KB) article https://
kb.vmware.com/s/article/78652.
n Configuring Domains and Trust Relationships
n Creating an OU for Remote Desktops
n Creating OUs and Groups for Kiosk Mode Client Accounts
n Creating Groups for Users
n Creating a User Account for vCenter Server
n Create a User Account for Instant-Clone Operations
n Configure the Restricted Groups Policy
n Using VMware Horizon Group Policy Administrative Template Files
n Prepare Active Directory for Smart Card Authentication
n Disable Weak Ciphers in SSL/TLS
Configuring Domains and Trust Relationships

You must join each Connection Server host to an Active Directory domain. The host must not be
a domain controller.
Active Directory also manages the Horizon Agent machines, including single-user machines and
RDS hosts, and the users and groups in your VMware Horizon deployment. You can entitle users
and groups to remote desktops and applications, and you can select users and groups to be
administrators in VMware Horizon.
VMware, Inc. 13
You can place Horizon Agent machines and users and groups, in the following Active Directory
domains:
n The Connection Server domain
n A different domain that has a two-way trust relationship with the Connection Server domain
n A domain in a different forest than the Connection Server domain that is trusted by the
Connection Server domain in a one-way external or realm trust relationship
n A domain in a different forest than the Connection Server domain that is trusted by the
Connection Server domain in a one-way or two-way transitive forest trust relationship
n Untrusted domains
Users are authenticated using Active Directory against the Connection Server domain and any
additional user domains with which a trust agreement exists.
If your users and groups are in one-way trusted domains, you must provide secondary
credentials for the administrator users in Horizon Console. Administrators must have secondary
credentials to give them access to the one-way trusted domains. A one-way trusted domain can
be an external domain or a domain in a transitive forest trust.
Secondary credentials are required only for Horizon Console sessions, not for end users' desktop
or application sessions. Only administrator users require secondary credentials.
You can provide secondary credentials by using the vdmadmin -T command.
n You configure secondary credentials for individual administrator users.
n For a forest trust, you can configure secondary credentials for the forest root domain.
Connection Server can then enumerate the child domains in the forest trust.
For more information, see "Providing Secondary Credentials for Administrators Using the -T
Option" in the Horizon Administration document.
Smart card and SAML authentication of users is not supported in one-way trusted domains.
Unauthenticated access is not supported in a one-way trust environment when authenticating a

user from a trusted domain. For example, there are two domains, Domain A and Domain B,
where Domain B has a one-way outgoing trust to Domain A. When you enable unauthenticated
access on the Connection Server in Domain B and add an unauthenticated access user from a
user list in Domain A and then entitle the unauthenticated user to a published desktop or
application pool, the user cannot log in as an unauthenticated access user from Horizon Client.
The Logon as current user feature in Horizon Client for Windows is supported in one-way trusted
domains.
VMware, Inc. 14
Untrusted Domains
A domain in a different forest than the Connection Server domain that does not have any formal
trust with the Connection Server domain is an untrusted domain relationship. For an untrusted
domain relationship, users are authenticated using the primary domain bind account credentials.
Users can be authenticated with auxiliary domain bind accounts only if the primary domain bind
account is inaccessible. For more information about configuring untrusted domains, see
"Configuring Untrusted Domains" in the Horizon Administration document.
The following features are not supported in an untrusted domain:
n Logon as current user
n Unauthenticated access users
n vdmadmin commands
n Adding an administrator user for an untrusted domain
n IPv6
n Identify an AD User That Does Not Have an AD UPN
Trust Relationships and Domain Filtering

To determine which domains it can access, a Connection Server instance traverses trust
relationships beginning with its own domain.
For a small, well-connected set of domains, Connection Server can quickly determine the full list
of domains, but the time that it takes increases as the number of domains increases or as the
connectivity between the domains decreases. The list might also include domains that you would
prefer not to offer to users when they connect to their remote desktops and applications.
You can use the vdmadmin command to configure domain filtering to limit the domains that a
Connection Server instance searches and that it displays to users. See the Horizon Administration
document for more information.
If a forest trust is configured with name suffix exclusions, the configured exclusions are used to
filter the list of forest child domains. Name suffix exclusion filtering is applied in addition to the
filtering that is specified with the vdmadmin command.
Creating an OU for Remote Desktops

You should create an organizational unit (OU) specifically for your remote desktops. An OU is a
subdivision in Active Directory that contains users, groups, computers, or other OUs.
To prevent group policy settings from being applied to other Windows servers or workstations in
the same domain as your desktops, you can create a GPO for your VMware Horizon group
policies and link it to the OU that contains your remote desktops. You can also delegate control
of the OU to subordinate groups, such as server operators or individual users.
VMware, Inc. 15
Creating OUs and Groups for Kiosk Mode Client Accounts

A client in kiosk mode is a thin client or a locked-down PC that runs the client software to connect
to a Connection Server instance and launch a remote desktop session. If you configure clients in
kiosk mode, you should create dedicated OUs and groups in Active Directory for kiosk mode
client accounts.
Creating dedicated OUs and groups for kiosk mode client accounts partitions client systems
against unwarranted intrusion and simplifies client configuration and administration.
See the Horizon Administration document for more information.
Creating Groups for Users

You should create groups for different types of users in Active Directory. For example, you can
create a group called VMware HorizonUsers for your end users and another group called
VMware Horizon Administrators for users that will administer remote desktops and applications.
Creating a User Account for vCenter Server

You must create a user account in Active Directory to use with vCenter Server. You specify this
user account when you add a vCenter Server instance in Horizon Console.
You must give the user account privileges to perform certain operations in vCenter Server. You
can create a vCenter Server role with the appropriate privileges and assign the role to the
vCenter Server user. The list of privileges you add to the vCenter Server role varies, depending
on whether you use VMware Horizon with or without instant clones. See Configuring User
Accounts for vCenter Server.
Create a User Account for Instant-Clone Operations

Before you deploy instant clones, you must create a user account that has the permission to
perform certain operations in Active Directory.
Select this account when you add an instant-clone domain administrator before deploying
instant-clone desktop pools. For more information, see Add an Instant-Clone Domain
Administrator.
Procedure
1 In Active Directory, create a user account in the same domain as the Connection Server or in
a trusted domain.
VMware, Inc. 16
2 Add the Create Computer Objects, Delete Computer Objects, and Write All Properties
permissions to the account on the container for the instant-clone computer accounts.
The following list shows the required permissions for the user account, including permissions
that are assigned by default:
n List Contents
n Read All Properties
n Write All Properties
n Read Permissions
n Reset Password
n Create Computer Objects
n Delete Computer Objects
Make sure that the permissions apply to the correct container and to all child objects of the
container.
Configure the Restricted Groups Policy

To be able to connect to a remote desktop, users must belong to the local Remote Desktop
Users group of the remote desktop. You can use the Restricted Groups policy in Active Directory
to add users or groups to the local Remote Desktop Users group of every remote desktop that is
joined to your domain.
The Restricted Groups policy sets the local group membership of computers in the domain to
match the membership list settings defined in the Restricted Groups policy. The members of your
remote desktop users group are always added to the local Remote Desktop Users group of
every remote desktop that is joined to your domain. When adding new users, you need only add
them to your remote desktop users group.
These steps apply to the Active Directory server on the domain on which VMware Horizon virtual
desktops or published desktops and applications are joined.
Prerequisites
Create a group for remote desktop users in your domain in Active Directory. For example, create
a group named "Horizon Users".
Procedure
1 On the Active Directory server, navigate to the Group Policy Management plug-in and
complete the following steps:
a Select Start > Administrative Tools > Group Policy Management.
b Expand your domain, right-click Default Domain Policy, and click Edit.
2 Expand the Computer Configuration section and open Windows Settings\Security Settings.
VMware, Inc. 17
3 Right-click Restricted Groups, select Add Group, and add the Remote Desktop Users group.
4 Right-click the group and add your new remote desktop users group to the group
membership list.
For example, add "Horizon Users" to Remote Desktop Users.
5 Click OK to save your changes.
Using VMware Horizon Group Policy Administrative

Template Files
VMware Horizon includes several component-specific group policy administrative (ADMX)
template files.
All ADMX files that provide group policy settings for Horizon are available in VMware-Horizon-
Extras-Bundle-YYMM-x.x.x-yyyyyyyy.zip, where YYMM is the marketing version, x.x.x is the
internal version and yyyyyyyy is the build number. You can download the file from the VMware
Downloads site at https://my.vmware.com/web/vmware/downloads. Under Desktop & End-User
Computing, select the VMware Horizon download, which includes the GPO Bundle containing the
ZIP file.
You can optimize and secure remote desktops by adding the policy settings in these files to a
new or existing GPO in Active Directory and then linking that GPO to the OU that contains your
desktops.
See the Horizon Administration and Configuring Remote Desktop Features in Horizon documents
for information on using VMware Horizon group policy settings.
Prepare Active Directory for Smart Card Authentication

You might need to perform certain tasks in Active Directory when you implement smart card
authentication.
n Add UPNs for Smart Card Users

Because smart card logins rely on user principal names (UPNs), the Active Directory
accounts of users and administrators that use smart cards to authenticate in VMware
Horizon must have a valid UPN.
n Add the Root Certificate to Trusted Root Certification Authorities

If you use a certification authority (CA) to issue smart card login or domain controller
certificates, you must add the root certificate to the Trusted Root Certification Authorities
group policy in Active Directory. You do not need to perform this procedure if the Windows
domain controller acts as the root CA.
VMware, Inc. 18
n Add an Intermediate Certificate to Intermediate Certification Authorities

If you use an intermediate certification authority (CA) to issue smart card login or domain
controller certificates, you must add the intermediate certificate to the Intermediate
Certification Authorities group policy in Active Directory.
n Add the Root Certificate to the Enterprise NTAuth Store

If you use a CA to issue smart card login or domain controller certificates, you must add the
root certificate to the Enterprise NTAuth store in Active Directory. You do not need to
perform this procedure if the Windows domain controller acts as the root CA.
Add UPNs for Smart Card Users

Because smart card logins rely on user principal names (UPNs), the Active Directory accounts of
users and administrators that use smart cards to authenticate in VMware Horizon must have a
valid UPN.
If the domain a smart card user resides in is different from the domain that your root certificate
was issued from, you must set the user’s UPN to the Subject Alternative Name (SAN) contained
in the root certificate of the trusted CA. If your root certificate was issued from a server in the
smart card user's current domain, you do not need to modify the user's UPN.
Note You might need to set the UPN for built-in Active Directory accounts, even if the certificate
is issued from the same domain. Built-in accounts, including Administrator, do not have a UPN set
by default.
Prerequisites
n Obtain the SAN contained in the root certificate of the trusted CA by viewing the certificate
properties.
n If the ADSI Edit utility is not present on your Active Directory server, download and install the
appropriate Windows Support Tools from the Microsoft Web site.
Procedure
1 On your Active Directory server, start the ADSI Edit utility.
2 In the left pane, expand the domain the user is located in and double-click CN=Users.
3 In the right pane, right-click the user and then click Properties.
4 Double-click the userPrincipalName attribute and type the SAN value of the trusted CA
certificate.
5 Click OK to save the attribute setting.
Add the Root Certificate to Trusted Root Certification Authorities

If you use a certification authority (CA) to issue smart card login or domain controller certificates,
you must add the root certificate to the Trusted Root Certification Authorities group policy in
VMware, Inc. 19
Active Directory. You do not need to perform this procedure if the Windows domain controller
acts as the root CA.
Procedure
2 Expand the Computer Configuration section and open Windows Settings\Security Settings
\Public Key.
3 Right-click Trusted Root Certification Authorities and select Import.
4 Follow the prompts in the wizard to import the root certificate (for example, rootCA.cer) and
click OK.
5 Close the Group Policy window.
Results
All of the systems in the domain now have a copy of the root certificate in their trusted root
store.
What to do next
If an intermediate certification authority (CA) issues your smart card login or domain controller
certificates, add the intermediate certificate to the Intermediate Certification Authorities group
policy in Active Directory. See Add an Intermediate Certificate to Intermediate Certification
Authorities.
Add an Intermediate Certificate to Intermediate Certification

Authorities
If you use an intermediate certification authority (CA) to issue smart card login or domain
controller certificates, you must add the intermediate certificate to the Intermediate Certification
Authorities group policy in Active Directory.
Procedure
2 Expand the Computer Configuration section and open the policy for Windows Settings
\Security Settings\Public Key.
3 Right-click Intermediate Certification Authorities and select Import.
VMware, Inc. 20
4 Follow the prompts in the wizard to import the intermediate certificate (for example,
intermediateCA.cer) and click OK.
Results
All of the systems in the domain now have a copy of the intermediate certificate in their
intermediate certification authority store.
Add the Root Certificate to the Enterprise NTAuth Store

If you use a CA to issue smart card login or domain controller certificates, you must add the root
certificate to the Enterprise NTAuth store in Active Directory. You do not need to perform this
procedure if the Windows domain controller acts as the root CA.
Procedure
u On your Active Directory server, use the certutil command to publish the certificate to the
Enterprise NTAuth store.
For example: certutil -dspublish -f path_to_root_CA_cert NTAuthCA
Results
The CA is now trusted to issue certificates of this type.
Disable Weak Ciphers in SSL/TLS

To achieve greater security, you can configure the domain policy group policy object (GPO) to
ensure that Windows-based machines running Horizon Agent do not use weak ciphers when
they communicate by using the TLS protocol.
Procedure
1 To edit the GPO on the Active Directory server, select Start > Administrative Tools > Group
Policy Management, right-click the GPO, and select Edit.
2 In the Group Policy Management Editor, navigate to Computer Configuration > Policies >
Administrative Templates > Network > SSL Configuration Settings.
3 Double-click SSL Cipher Suite Order.
4 In the SSL Cipher Suite Order window, click Enabled.
5 In the Options pane, replace the entire content of the SSL Cipher Suites text box with the
following cipher list:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
VMware, Inc. 21
The cipher suites appear on separate lines for readability. When you paste the list into the
text box, the cipher suites must be on one line with no spaces after the commas.
Note In FIPS mode, list GCM cipher suites only.
6 Exit the Group Policy Management Editor.
7 To make the new group policy take effect, restart the Horizon Agent machines.
VMware, Inc. 22
Installing Horizon Connection
Server 4
To use Connection Server, you install the software on supported computers, configure the
required components, and, optionally, optimize the components.
Note You can install Connection Servers in parallel if the Cloud Pod Architecture feature is not
enabled on the Connection Server cluster. For more information about troubleshooting
Connection Server installation errors during the parallel upgrade process, see "Troubleshooting
Errors During Upgrade and Installation of Connection Servers" in the Horizon Upgrades
document.
n Installing the Horizon Connection Server Software
n Installation Prerequisites for Horizon Connection Server
n Install Horizon Connection Server with a New Configuration
n Install a Replicated Instance of Horizon Connection Server
n Unified Access Gateway Appliance Advantages over VPN
n Horizon LDAP
n Firewall Rules for Horizon Connection Server
n Reinstall Horizon Connection Server with a Backup Configuration
n Microsoft Windows Installer Command-Line Options
n Uninstalling VMware Horizon Components Silently by Using MSI Command-Line Options
Installing the Horizon Connection Server Software

Depending on the performance, availability, and security needs of your VMware Horizon
deployment, you can install a single instance of Connection Server and replicated instances of
Connection Server. You must install at least one instance of Connection Server.
When you install Connection Server, you select a type of installation.
Standard installation
VMware, Inc. 23
Generates a Connection Server instance with a new Horizon LDAP configuration.
Replica installation
Generates a Connection Server instance with a Horizon LDAP configuration that is copied
from an existing instance.
Enrollment Server installation
Installs an enrollment server that is required for the True SSO (single sign-on) feature, so that
after users log in to VMware Workspace ONE Access, they can connect to a remote desktop
or application without having to provide Active Directory credentials. The enrollment server
requests the short-lived certificates that are used for authentication.
Note Because this feature requires that a certificate authority also be set up, and specific
configuration performed, the installation procedure for the enrollment server is provided in
the Horizon Administration document.
Installation Prerequisites for Horizon Connection Server

Before you install Connection Server, you must verify that your installation environment satisfies
specific prerequisites.
n You must have a valid license for VMware Horizon.
n You must join the Connection Server host to an Active Directory domain. Connection Server
supports certain Active Directory Domain Services (AD DS) domain functional levels. For
more information, see the VMware Knowledge Base (KB) article https://kb.vmware.com/s/
article/78652.
The Connection Server host must not be a domain controller.
Note Connection Server does not make, nor does it require, any schema or configuration
updates to Active Directory.
n Do not install Connection Server on systems that have the Windows Terminal Server role
installed. You must remove the Windows Terminal Server role from any system on which you
install Connection Server.
n Do not install Connection Server on a system that performs any other functions or roles. For
example, do not use the same system to host vCenter Server.
n The system on which you install Connection Server must have an IP address that does not
change. In an IPv4 environment, configure a static IP address. In an IPv6 environment,
machines automatically get IP addresses that do not change.
n To run the Horizon Connection Server installer, you must use a domain user account with
Administrator privileges on the system.
VMware, Inc. 24
n When you install Connection Server, you authorize an Administrators account. You can
specify the local Administrators group or a domain user or group account. VMware Horizon
assigns full administration rights, including the right to install replicated Connection Server
instances, to this account only. If you specify a domain user or group, you must create the
account in Active Directory before you run the installer.
n When you are preparing virtual machines on which to install the connection servers, you must
use Sysprep on each virtual machine so that each virtual machine has a unique SID before
installing Connection Server on each virtual machine separately. You can clone additional
virtual machines from an existing virtual machine template but you must do so prior to
installing the Connection Server on the virtual machine template. Do not install Connection
Server on a virtual machine, and then clone this virtual machine that has Connection Server
installed into additional Connection Server virtual machines. The correct process is to first
clone a virtual machine from a virtual machine template that does not have Connection Server
installed, run Sysprep on each cloned virtual machine, and then install the Connection Server
on each machine separately.
Note Never import the ADAM data to a Connection Server from another Connection Server
which is not part of the cluster. For example, do not import ADAM data from a different pod in a
CPA environment. Doing so will override the CMS key and subsequently decryption of sensitive
ADAM data will fail. This is a non recoverable error and will require building the environment
again.
Install Horizon Connection Server with a New Configuration

To install Connection Server as a single server or as the first instance in a group of replicated
Connection Server instances, you use the standard installation option.
When you select the standard installation option, the installation creates a new, local Horizon
LDAP configuration. The installation loads the schema definitions, Directory Information Tree
(DIT) definition, and ACLs and initializes the data.
After installation, you manage most Horizon LDAP configuration data by using Horizon Console.
Connection Server automatically maintains some Horizon LDAP entries.
The Connection Server software cannot coexist on the same virtual or physical machine with any
other VMware Horizon software component, including a replica server, Horizon Agent, or Horizon
Client.
When you install Connection Server with a new configuration, you can participate in a customer
experience improvement program. VMware collects anonymous data about your deployment in
order to improve VMware's response to user requirements. No data that identifies your
organization is collected. You can choose not to participate by deselecting this option during the
installation. If you change your mind about participating after the installation, you can either join
VMware, Inc. 25
or withdraw from the program by editing the Product Licensing and Usage page in Horizon
Console. To review the list of fields from which data is collected, including the fields that are
made anonymous, see "Information Collected by the Customer Experience Improvement
Program" in the Horizon Administration document.
By default, the HTML Access component is installed on the Connection Server host when you
install Connection Server. This component configures the VMware Horizon user portal page to
display an HTML Access icon in addition to the Horizon Client icon. The additional icon allows
users to select HTML Access when they connect to their desktops.
For an overview of setting up Connection Server for HTML Access, see the VMware Horizon
HTML Access Installation and Setup Guide document, located on the Horizon Client
Documentation page.
Prerequisites
n Verify that you can log in as a domain user with administrator privileges on the Windows
Server computer on which you install Connection Server.
n Verify that your installation satisfies the requirements described in Horizon Connection Server
Requirements.
n Prepare your environment for the installation. See Installation Prerequisites for Horizon
Connection Server.
n If you intend to authorize a domain user or group as the Administrators account, verify that
you created the domain account in Active Directory.
n Prepare a data recovery password. When you back up Connection Server, the Horizon LDAP
configuration is exported as encrypted LDIF data. To restore the encrypted backup VMware
Horizon configuration, you must provide the data recovery password. The password must
contain between 1 and 128 characters. Follow your organization's best practices for
generating secure passwords.
Important You will need the data recovery password to keep VMware Horizon operating
and avoid downtime in a Business Continuity and Disaster Recovery (BCDR) scenario. You
can provide a password reminder with the password when you install Connection Server.
n Familiarize yourself with the network ports that must be opened on the Windows Firewall for
Connection Server instances. See Firewall Rules for Horizon Connection Server.
Procedure
1 Download the Connection Server installer file from the VMware download site at https://
my.vmware.com/web/vmware/downloads.
Under Desktop & End-User Computing, select the VMware Horizon download, which includes
Connection Server.
The installer filename is VMware-Horizon-Connection-Server-x86_64-y.y.y-xxxxxx.exe,

where xxxxxx is the build number and y.y.y is the version number.
VMware, Inc. 26
2 To start the Connection Server installation program, double-click the installer file.
3 Accept the VMware license terms.
4 Accept or change the destination folder.
5 Select the Horizon Standard Server installation option.
6 Make sure that Install HTML Access is selected if you intend to allow users to connect to their
desktops by using a Web browser.
If IPv4 is selected, this setting is selected by default. If IPv6 is selected, this setting is not
displayed because HTML Access is not supported in an IPv6 environment.
7 Select the Internet Protocol (IP) version, IPv4 or IPv6.
You must install all VMware Horizon components with the same IP version.
8 Select whether to enable or disable FIPS mode.
This option is available only if FIPS is enabled in Windows.
9 Type a data recovery password and optional password reminder.
This password is required when you recover a backup of Connection Server.
10 Choose how to configure the Windows Firewall service.
Option Action
Configure Windows Firewall Let the installer configure Windows Firewall to allow the required network
automatically connections.
Do not configure Windows Firewall Configure the Windows firewall rules manually.
Select this option only if your organization uses its own predefined rules for
configuring Windows Firewall.
11 Authorize a Horizon Administrators account.
Only members of this account can log in to Horizon Console, exercise full administration
rights, and install replicated Connection Server instances and other VMware Horizon servers.
Option Description
Authorize the local Administrators Allows users in the local Administrators group to administer VMware
group Horizon.
Authorize a specific domain user or Allows the specified domain user or group to administer VMware Horizon.
domain group
12 If you specified a domain Horizon Administrators account, and you are running the installer as
a local administrator or another user without access to the domain account, provide
credentials to log in to the domain with an authorized user name and password.
Use domain name\user name or user principal name (UPN) format. UPN format can be
user@domain.com.
VMware, Inc. 27
13 Choose whether to participate in the customer experience improvement program.
If you participate, you can optionally select the type, size, and location of your organization.
14 Select where you want to deploy Connection Server.
Option Description
General If you are deploying your connection servers on-premises or in any location
other those listed below. This is the default selection.
AWS If you are deploying your connection servers on AWS or on VMware Cloud
on AWS
Dell EMC If you are deploying your connection servers on VMC on Dell EMC
Azure If you are deploying your connection servers on Azure or on Azure VMware
Solution (AVS)
Google If you are deploying your connection servers on Google or on Google Cloud
VMware Engine (GCVE)
Oracle Cloud If you are deploying your connection servers on Oracle Cloud or on Oracle
VMware Cloud Solution (OCVS)
Note This option specifies where the Connection Server is deployed. In a later step, when
you add vCenter, you can specify a separate location for deploying your virtual desktops.
For example, if you want to deploy Connection Servers on native Microsoft Azure and your
desktops in a VMware SDDC on the Azure VMware Solution, you would select Azure in the
current step. And then when you add a vCenter, you would specify "Azure VMware Solution"
as the deployment type.
15 Click Install to complete the wizard and install Connection Server.
16 Check for new patches on the Windows Server computer and run Windows Update as
needed.
Even if you fully patched the Windows Server computer before you installed Connection
Server, the installation might have enabled operating system features for the first time.
Additional patches might now be required.
Results
The following VMware Horizon services are installed on the Windows server computer:
n VMware Horizon Connection Server
n VMware Horizon Framework Component
n VMware Horizon Message Bus Component
n VMware Horizon Script Host
n VMware Horizon Security Gateway Component
n VMware Horizon PCoIP Secure Gateway
VMware, Inc. 28
n VMware Horizon Blast Secure Gateway
n VMware Horizon Web Component
n VMware VDMDS, which provides Horizon LDAP services
For information about these services, see the Horizon Administration document.
If the Install HTML Access setting was selected during the installation, the HTML Access
component is installed on the Windows Server computer. This component configures the HTML
Access icon in the VMware Horizon user portal page and enables the VMware Horizon
Connection Server (Blast-In) rule in the Windows Firewall. This firewall rule allows Web browsers
on client devices to connect to the Connection Server on TCP port 8443.
What to do next
Configure SSL server certificates for Connection Server. See Chapter 5 Configuring TLS
Certificates for VMware Horizon Servers.
Perform initial configuration on Connection Server. See Chapter 6 Configuring VMware Horizon
for the First Time.
If you plan to include replicated Connection Server instances in your deployment, you must install
each server instance by running the Connection Server installer file.
If you are reinstalling Connection Server and you have a data collector set configured to monitor
performance data, stop the data collector set and start it again.
Install Horizon Connection Server Silently

You can use the silent installation feature of the Microsoft Windows Installer (MSI) to perform a
standard installation of Connection Server on several Windows computers. In a silent installation,
you use the command line and do not have to respond to wizard prompts.
With silent installation, you can efficiently deploy VMware Horizon components in a large
enterprise.
Prerequisites
n Verify that you can log in as a domain user with administrator privileges on the Windows
Server computer on which you install Connection Server.
Requirements.
Connection Server.
n If you intend to authorize a domain user or group as the Horizon Administrators account,
verify that you created the domain account in Active Directory.
n If you use MIT Kerberos authentication to log in to a Windows Server 2008 R2 computer on
which you are installing Connection Server, install the Microsoft hotfix that is described in KB
978116 at http://support.microsoft.com/kb/978116.
VMware, Inc. 29
n Verify that the Windows computer on which you install Connection Server has version 2.0 or
later of the MSI runtime engine. For details, see the Microsoft Web site.
n Familiarize yourself with the MSI installer command-line options. See Microsoft Windows
Installer Command-Line Options.
n Familiarize yourself with the silent installation properties available with a standard installation
of Connection Server. See Silent Installation Properties for a Horizon Connection Server
Standard Installation.
Procedure
Connection Server.

2 Open a command prompt on the Windows Server computer.
3 Type the installation command on one line.
For example: VMware-viewconnectionserver-y.y.y-xxxxxx.exe /s /v"/qn

VDM_SERVER_INSTANCE_TYPE=1 VDM_INITIAL_ADMIN_SID=S-1-5-32-544 VDM_SERVER_RECOVERY_PWD=mini
VDM_SERVER_RECOVERY_PWD_REMINDER=""First car"""
Important When you perform a silent installation, the full command line, including the data
recovery password, is logged in the installer's vminst.log file. After the installation is
complete, either delete this log file or change the data recovery password by using Horizon
Console.
needed.
Results
The VMware Horizon services are installed on the Windows Server computer:
VMware, Inc. 30
What to do next
Configure SSL server certificates for Connection Server. See Chapter 5 Configuring TLS
Certificates for VMware Horizon Servers.
If you are configuring VMware Horizon for the first time, perform initial configuration on
Connection Server. See Chapter 6 Configuring VMware Horizon for the First Time.
Silent Installation Properties for a Horizon Connection Server

Standard Installation
You can include specific Connection Server properties when you perform a silent installation or
upgrade from the command line. You must use a PROPERTY=value format so that Microsoft
Windows Installer (MSI) can interpret the properties and values. A silent upgrade uses the same
install commands.
Table 4-1. MSI Properties for Silently Installing Connection Server in a Standard Installation
MSI Property Description Default Value
INSTALLDIR The path and folder in which the Connection Server software is %ProgramFiles%
installed. \VMware\VMware View
For example: INSTALLDIR=""D:\abc\my folder"" \Server
The sets of two double quotes that enclose the path permit the
MSI installer to interpret the space as a valid part of the path.
VDM_SERVER_ The type of Horizon server installation: 1

INSTANCE_TYPE n 1. Standard installation
n 2. Replica installation
n 5. Enrollment server installation
For example, to perform a standard installation, define
VDM_SERVER_INSTANCE_TYPE=1
VMware, Inc. 31
Table 4-1. MSI Properties for Silently Installing Connection Server in a Standard Installation
(continued)
HTMLACCESS Controls the HTML Access add-on installation. Set this property 1
to 1 to configure HTML Access or omit the property if HTML
Access is not needed.
VDM_IP_PROTOCOL_ Specifies the IP version that Horizon components use for IPv4
USAGE communication. The possible values are IPv4 and IPv6.
VDM_SERVER_ The data recovery password. If a data recovery password is not None
RECOVERY_PWD set in Horizon LDAP, this property is mandatory.
The password must contain between 1 and 128 characters.
Follow your organization's best practices for generating secure
passwords.
VDM_SERVER_RECOVER The data recovery password reminder. This property is optional. None
Y_
PWD_REMINDER
FWCHOICE The MSI property that determines whether to configure a firewall 1

for the Connection Server instance.
A value of 1 configures a firewall. A value of 2 does not configure
a firewall.
For example: FWCHOICE=1
VDM_INITIAL_ The SID of the initial Horizon Administrators user or group that is S-1-5-32-544
ADMIN_SID authorized with full administration rights in Horizon.
The default value is the SID of the local Administrators group on
the Connection Server computer. You can specify a SID of a
domain user or group account.
DEPLOYMENT_TYPE Provide the location where you will deploy Connection Server. If GENERAL
you do not provide a deployment type, the default is an on-
premises installation. For a list of deployment types, see Install
Horizon Connection Server with a New Configuration.
VDM_FIPS_ENABLED Specifies whether to enable or disable FIPS mode. A value of 1 0

enables FIPS mode. A value of 0 disables FIPS mode. If this
property is set to 1 and Windows is not in FIPS mode, the
installer will abort.
Install a Replicated Instance of Horizon Connection Server

To provide high availability and load balancing, you can install one or more additional instances
of Connection Server that replicate an existing Connection Server instance. After a replica
installation, the existing and newly installed instances of Connection Server are identical.
When you install a replicated instance, VMware Horizon copies the Horizon LDAP configuration
data from the existing Connection Server instance.
VMware, Inc. 32
After the installation, identical Horizon LDAP configuration data is maintained on all Connection
Server instances in the replicated group. When a change is made on one instance, the updated
information is copied to the other instances.
If a replicated instance fails, the other instances in the group continue to operate. When the failed
instance resumes activity, its configuration is updated with the changes that took place during
the outage.
Note Replication functionality is provided by Horizon LDAP, which uses the same replication
technology as Active Directory.
The replica server software cannot coexist on the same virtual or physical machine with any
other VMware Horizon software component, including a Connection Server, Horizon Agent, or
Horizon Client.
By default, the HTML Access component is installed on the Connection Server host when you
install Connection Server. This component configures the VMware Horizon user portal page to
display an HTML Access icon in addition to the Horizon Client icon. The additional icon allows
users to select HTML Access when they connect to their desktops.
For an overview of setting up Connection Server for HTML Access, see the VMware Horizon
HTML Access Installation and Setup Guide document, located on the Horizon Client
Documentation page.
Prerequisites
n Verify that at least one Connection Server instance is installed and configured on the
network.
n To install the replicated instance, you must log in as a user with the Administrators role. You
specify the account or group with the Administrators role when you install the first instance
of Connection Server. The role can be assigned to the local Administrators group or a domain
user or group. See Install Horizon Connection Server with a New Configuration.
n If the existing Connection Server instance is in a different domain than the replicated instance,
the domain user must also have Administrator privileges on the Windows Server computer
where the existing instance is installed.
Requirements.
n Verify that the computers on which you install replicated Connection Server instances are
connected over a high-performance LAN. See Network Requirements for Replicated Horizon
Connection Server Instances.
Connection Server.
n Prepare a data recovery password. See Install Horizon Connection Server with a New
Configuration.
VMware, Inc. 33
Procedure
Connection Server.

2 To start the Connection Server installation program, double-click the installer file.
3 Accept the VMware license terms.
4 Accept or change the destination folder.
5 Select the Horizon Replica Server installation option.
6 Select the Internet Protocol (IP) version, IPv4 or IPv6.
You must install all VMware Horizon components with the same IP version.
7 Select whether to enable or disable FIPS mode.
This option is available only if FIPS mode is enabled in Windows.
8 Make sure that Install HTML Access is selected if you intend to allow users to connect to their
desktops by using HTML Access.
If IPv4 is selected, this setting is selected by default. If IPv6 is selected, this setting is not
displayed because HTML Access is not supported in an IPv6 environment.
9 Enter the host name or IP address of the existing Connection Server instance you are
replicating.
10 Type a data recovery password and, optionally, a password reminder.
11 Choose how to configure the Windows Firewall service.
Option Action
Configure Windows Firewall Let the installer configure Windows Firewall to allow the required network
automatically connections.
Do not configure Windows Firewall Configure the Windows firewall rules manually.
Select this option only if your organization uses its own predefined rules for
configuring Windows Firewall.
12 Complete the installation wizard to finish installing the replicated instance.
VMware, Inc. 34
needed.
Results
What to do next
Configure an SSL server certificate for the Connection Server instance. See Chapter 5 Configuring
TLS Certificates for VMware Horizon Servers.
You do not have to perform an initial VMware Horizon configuration on a replicated instance of
Connection Server. The replicated instance inherits its configuration from the existing Connection
Server instance.
However, you might have to configure client connection settings for this Connection Server
instance, and you can tune Windows Server settings to support a large deployment. See
Configuring Horizon Client Connections and Sizing Windows Server Settings to Support Your
Deployment.
If you are reinstalling Connection Server and you have a data collector set configured to monitor
performance data, stop the data collector set and start it again.
VMware, Inc. 35
Install a Replicated Instance of Horizon Connection Server Silently

You can use the silent installation feature of the Microsoft Windows Installer (MSI) to install a
replicated instance of Connection Server on several Windows computers. In a silent installation,
you use the command line and do not have to respond to wizard prompts.
With silent installation, you can efficiently deploy VMware Horizon components in a large
enterprise.
Prerequisites
n Verify that at least one Connection Server instance is installed and configured on the
network.
n To install the replicated instance, you must log in as a user with credentials to access the
Administrators account. You specify the Administrators account when you install the first
instance of Connection Server. The account can be the local Administrators group or a
domain user or group account. See Install Horizon Connection Server with a New
Configuration.
n If the existing Connection Server instance is in a different domain than the replicated instance,
the domain user must also have Administrator privileges on the Windows Server computer
where the existing instance is installed.
Requirements.
n Verify that the computers on which you install replicated Connection Server instances are
connected over a high-performance LAN. See Network Requirements for Replicated Horizon
Connection Server Instances.
Connection Server.
n Familiarize yourself with the MSI installer command-line options. See Microsoft Windows
Installer Command-Line Options.
n Familiarize yourself with the silent installation properties available with a replica installation of
Connection Server. See Silent Installation Properties for a Replicated Instance of Horizon
Connection Server.
Procedure
Connection Server.
VMware, Inc. 36

2 Open a command prompt on the Windows Server computer.
3 Type the installation command on one line.
For example: VMware-viewconnectionserver-y.y.y-xxxxxx.exe /s /v"/qn

VDM_SERVER_INSTANCE_TYPE=2 ADAM_PRIMARY_NAME=cs1.companydomain.com
VDM_INITIAL_ADMIN_SID=S-1-5-32-544"
If you install a replicated Connection Server instance that is View 5.1 or later, and the existing
Connection Server instance you are replicating is View 5.0.x or earlier, you must specify a
data recovery password, and you can add a password reminder. For example: VMware-
viewconnectionserver-y.y.y-xxxxxx.exe /s /v"/qn VDM_SERVER_INSTANCE_TYPE=2
ADAM_PRIMARY_NAME=cs1.companydomain.com VDM_INITIAL_ADMIN_SID=S-1-5-32-544
VDM_SERVER_RECOVERY_PWD=mini VDM_SERVER_RECOVERY_PWD_REMINDER=""First car"""
Important When you perform a silent installation, the full command line, including the data
recovery password, is logged in the installer's vminst.log file. After the installation is
complete, either delete this log file or change the data recovery password by using Horizon
Console.
needed.
Results
VMware, Inc. 37
What to do next
Configure an SSL server certificate for the Connection Server instance. See Chapter 5 Configuring
TLS Certificates for VMware Horizon Servers.
You do not have to perform an initial VMware Horizon configuration on a replicated instance of
Connection Server. The replicated instance inherits its configuration from the existing Connection
Server instance.
However, you might have to configure client connection settings for this Connection Server
instance, and you can tune Windows Server settings to support a large deployment. See
Configuring Horizon Client Connections and Sizing Windows Server Settings to Support Your
Deployment.
Silent Installation Properties for a Replicated Instance of Horizon

Connection Server
You can include specific properties when you silently install a replicated Horizon Connection
Server instance from the command line. You must use a PROPERTY=value format so that Microsoft
Windows Installer (MSI) can interpret the properties and values.
Table 4-2. MSI Properties for Silently installing a Replicated Instance of Horizon Connection
Server
INSTALLDIR The path and folder in which the Connection Server software is %ProgramFiles%
installed. \VMware\VMware
For example: INSTALLDIR=""D:\abc\my folder"" View\Server
The sets of two double quotes that enclose the path permit the
MSI installer to interpret the space as a valid part of the path.
This MSI property is optional.
VDM_SERVER_INSTANCE The type of Connection Server installation: 1

_TYPE n 1. Standard installation
n 2. Replica installation
To install a replicated instance, define
VDM_SERVER_INSTANCE_TYPE=2
This MSI property is required when installing a replica.
ADAM_PRIMARY_NAME The host name or IP address of the existing Connection Server None
instance you are replicating.
For example: ADAM_PRIMARY_NAME=cs1.companydomain.com
This MSI property is required.
VMware, Inc. 38
Table 4-2. MSI Properties for Silently installing a Replicated Instance of Horizon Connection
Server (continued)
FWCHOICE The MSI property that determines whether to configure a firewall 1

for the Connection Server instance.
A value of 1 configures a firewall. A value of 2 does not configure a
firewall.
For example: FWCHOICE=1
VDM_SERVER_ The data recovery password. If a data recovery password is not None
RECOVERY_PWD set in Horizon LDAP, this property is mandatory.
The password must contain between 1 and 128 characters. Follow
your organization's best practices for generating secure
passwords.
VDM_SERVER_RECOVER The data recovery password reminder. This property is optional. None
Y_
PWD_REMINDER
VDM_IP_PROTOCOL_ Specifies the IP version that VMware Horizon components use for IPv4
USAGE communication. The possible values are IPv4 and IPv6
VDM_FIPS_ENABLED Specifies whether to enable or disable FIPS mode. A value of 1 0

enables FIPS mode. A value of 0 disables FIPS mode. If this
property is set to 1 and Windows is not in FIPS mode, the installer
will abort.
Unified Access Gateway Appliance Advantages over VPN

A Unified Access Gateway appliance is a default gateway for secure access to remote desktops
and applications from outside the corporate firewall.
For the latest version of Unified Access Gateway documentation, see the Deploying and
Configuring VMware Unified Access Gateway document in https://docs.vmware.com/en/Unified-
Access-Gateway/index.html.
A Unified Access Gateway appliance resides within a network demilitarized zone (DMZ) and acts
as a proxy host for connections inside a trusted network, providing an additional layer of security
by shielding virtual desktops, application hosts, and servers from the public-facing Internet.
Configure a Unified Access Gateway Appliance

Unified Access Gateway and generic VPN solutions are similar as they both ensure that traffic is
forwarded to an internal network only on behalf of strongly authenticated users.
VMware, Inc. 39
Unified Access Gateway advantages over generic VPN include the following.
n Access Control Manager. Unified Access Gateway applies access rules automatically. Unified
Access Gateway recognizes the entitlements of the users and the addressing required to
connect internally. A VPN does the same, because most VPNs allow an administrator to
configure network connection rules for every user or group of users individually. At first, this
works well with a VPN, but requires significant administrative effort to maintain the required
rules.
n User Interface. Unified Access Gateway does not alter the straightforward Horizon Client user
interface. With Unified Access Gateway, when the Horizon Client is launched, authenticated
users are in their View environment and have controlled access to their desktops and
applications. A VPN requires that you must set up the VPN software first and authenticate
separately before starting the Horizon Client.
n Performance. Unified Access Gateway is designed to maximize security and performance.

With Unified Access Gateway, PCoIP, HTML access, and WebSocket protocols are secured
without requiring additional encapsulation. VPNs are implemented as SSL VPNs. This
implementation meets security requirements and, with Transport Layer Security (TLS)
enabled, is considered secure, but the underlying protocol with SSL/TLS is just TCP-based.
With modern video remoting protocols exploiting connectionless UDP-based transports, the
performance benefits can be significantly eroded when forced over a TCP-based transport.
This does not apply to all VPN technologies, as those that can also operate with DTLS or
IPsec instead of SSL/TLS can work well with Horizon 7 desktop protocols.
Enhance Horizon Security with Unified Access Gateway

A Unified Access Gateway appliance enhances security by layering device certification
authentication on top of user authentication so access can be restricted only from known good
devices and adding another layer of security on virtual desktop infrastructure.
Note This feature is supported in Horizon Client for Windows only.
n See Configuring Certificate or Smart Card Authentication on the Unified Access Gateway
appliance in the Deploying and Configuring VMware Unified Access Gateway document in
https://docs.vmware.com/en/Unified-Access-Gateway/index.html.
n The Endpoint Compliance Checks feature provides an extra layer of security for accessing
Horizon desktops in addition to the other user authentication services that are available on
Unified Access Gateway. See Endpoint Compliance Checks for Horizon in the Deploying and
Configuring VMware Unified Access Gateway document in https://docs.vmware.com/en/
Unified-Access-Gateway/index.html.
Important When a Unified Access Gateway appliance is configured for two-factor

authentication (RSA SecureID and RADIUS) and Windows user name matching is enabled, and
there are multiple user domains, you should enable Connection Server to send the domain list so
that the user can select the correct domain while using the Windows username and password for
authentication.
VMware, Inc. 40
Double-hop DMZ
For cases where a double-hop DMZ between the Internet and the internal network is required,
you can deploy a Unified Access Gateway appliance in the outer DMZ as a Web Reverse Proxy
with Unified Access Gateway in the inner DMZ to create a double-hop DMZ configuration. Traffic
passes through a specific reverse proxy in each DMZ layer and cannot bypass a DMZ layer. For
configuration details, see the Deploying and Configuring VMware Unified Access Gateway
document.
Horizon LDAP
Horizon LDAP is the data repository for all VMware Horizon configuration information. Horizon
LDAP is an embedded Lightweight Directory Access Protocol (LDAP) directory that is provided
with the Connection Server installation
Horizon LDAP contains standard LDAP directory components that are used by VMware Horizon.
n VMware Horizon schema definitions
n Directory information tree (DIT) definitions
n Access control lists (ACLs)
Horizon LDAP contains directory entries that represent VMware Horizon objects.
n Remote desktop entries that represent each accessible desktop. Each entry contains
references to the Foreign Security Principal (FSP) entries of Windows users and groups in
Active Directory who are authorized to use the desktop.
n Remote desktop pool entries that represent multiple desktops managed together
n Virtual machine entries that represent the vCenter Server virtual machine for each remote
desktop
n VMware Horizon component entries that store configuration settings
Horizon LDAP also contains a set of VMware Horizon plug-in DLLs that provide automation and
notification services for other VMware Horizon components.
LDAP Replication
When you install a replicated instance of Connection Server, VMware Horizon copies the Horizon
LDAP configuration data from the existing Connection Server instance. Identical Horizon LDAP
configuration data is maintained on all Connection Server instances in the replicated group. When
a change is made on one instance, the updated information is copied to the other instances.
If a replicated instance fails, the other instances in the group continue to operate. When the failed
instance resumes activity, its configuration is updated with the changes that took place during
the outage. With VMware Horizon and later releases, a replication status check is performed
every 15 minutes to determine whether each instance can communicate with the other servers in
the replicated group and whether each instance can fetch LDAP updates from the other servers
in the group.
VMware, Inc. 41
You can use the dashboard in Horizon Console to check the replication status. If any Connection
Server instances have a red icon in the dashboard, click the icon to see the replication status.
Replication might be impaired for any of the following reasons:
n A firewall might be blocking communication
n The VMware VDMDS service might be stopped on a Connection Server instance
n The VMware VDMDS DSA options might be blocking the replications
n A network problem has occurred
By default, the replication check occurs every 15 minutes. You can use ADSI Edit on a Connection
Server instance to change the interval. To set the number of minutes, connect to
DC=vdi,DC=vmware,DC=int and edit the pae-ReplicationStatusDataExpiryInMins attribute on
the CN=Common,OU=Global,OU=Properties object.
The pae-ReplicationStatusDataExpiryInMins attribute value should be between 10 minutes and

1440 minutes (one day). If the attribute value is less than 10 minutes, VMware Horizon treats it as
10 minutes. If the attribute value is greater than 1440, VMware Horizon treats it as 1440 minutes.
Firewall Rules for Horizon Connection Server

Certain ports must be opened on the firewall for Connection Server instances.
When you install Connection Server, the installation program can optionally configure the
required Windows Firewall rules for you. These rules open the ports that are used by default. If
you change the default ports after installation, you must manually configure Windows Firewall to
allow Horizon Client devices to connect to VMware Horizon through the updated ports.
The following table lists the default ports that can be opened automatically during installation.
Ports are incoming unless otherwise noted.
Table 4-3. Ports Opened During Horizon Connection Server Installation
Protocol Ports Horizon Connection Server Instance Type
JMS TCP 4001 Standard and replica
JMS TCP 4002 Standard and replica
JMSIR TCP 4100 Standard and replica
JMSIR TCP 4101 Standard and replica
AJP13 TCP 8009 Standard and replica
HTTP TCP 80 Standard, replica
HTTPS TCP 443 Standard, replica
PCoIP TCP 4172 in; Standard, replica

UDP 4172 both
directions
VMware, Inc. 42
Table 4-3. Ports Opened During Horizon Connection Server Installation (continued)
Protocol Ports Horizon Connection Server Instance Type
HTTPS TCP 8443 Standard, replica

UDP 8443 After the initial connection to VMware Horizon is made, the Web browser or client
device connects to the Blast Secure Gateway on TCP port 8443. The Blast Secure
Gateway must be enabled on a Connection Server instance to allow this second
connection to take place.
HTTPS TCP 8472 Standard and replica

For the Cloud Pod Architecture feature: used for interpod communication.
HTTP TCP 22389 Standard and replica

For the Cloud Pod Architecture feature: used for global LDAP replication.
HTTPS TCP 22636 Standard and replica

For the Cloud Pod Architecture feature: used for secure global LDAP replication.
Reinstall Horizon Connection Server with a Backup

Configuration
In certain situations, you might have to reinstall the current version of a Connection Server
instance and restore the existing VMware Horizon configuration by importing a backup LDIF file
that contains the Horizon LDAP configuration data.
For example, as part of a business continuity and disaster recovery (BC/DR) plan, you might want
to have a procedure ready to implement in case a datacenter stops functioning. The first step in
such a plan is to ensure that the Horizon LDAP configuration is backed up in another location. A
second step is to install Connection Server in the new location and import the backup
configuration, as described in this procedure.
You might also use this procedure when you set up a second datacenter with the existing
VMware Horizon configuration. Or you might use it if your VMware Horizon deployment contains
only a single Connection Server instance, and a problem occurs with that server.
You do not have to follow this procedure if you have multiple Connection Server instances in a
replicated group, and a single instance goes down. You can simply reinstall Connection Server as
a replicated instance. During the installation, you provide connection information to another
Connection Server instance, and VMware Horizon restores the Horizon LDAP configuration from
the other instance.
Prerequisites
n Verify that the Horizon LDAP configuration was backed up to an encrypted LDIF file.
n Familiarize yourself with restoring a Horizon LDAP configuration from an LDIF backup file by
using the vdmimport command.
See "Backing Up and Restoring VMware Horizon Configuration Data" in the Horizon
Administration document.
VMware, Inc. 43
n Familiarize yourself with the steps for installing a new Connection Server instance. See Install
Horizon Connection Server with a New Configuration.
Procedure
1 Install Connection Server with a new configuration.
2 Decrypt the encrypted LDIF file.
For example:
vdmimport -d -p mypassword
-f MyEncryptedexport.LDF > MyDecryptedexport.LDF
3 Import the decrypted LDIF file to restore the Horizon LDAP configuration.
For example:
vdmimport -f MyDecryptedexport.LDF
Note At this stage, the VMware Horizon configuration is not yet accessible. Clients cannot
access Connection Server or connect to their desktops.
4 Uninstall the Connection Server from the computer by using the Windows Add/Remove
Programs utility.
Do not uninstall the Horizon LDAP configuration, called the AD LDS Instance VMwareVDMDS
instance. You can use the Add/Remove Programs utility to verify that the AD LDS Instance
VMwareVDMDS instance was not removed from the Windows Server computer.
5 Reinstall Connection Server.
At the installer prompt, accept the existing Horizon LDAP.
What to do next
Configure Connection Server and your VMware Horizon environment as you would after you
install a Connection Server instance with a new configuration.
Microsoft Windows Installer Command-Line Options

To install Horizon components silently, you must use Microsoft Windows Installer (MSI)
command-line options and properties. The Horizon component installers are MSI programs and
use standard MSI features.
For details about MSI, see the Microsoft Web site. For MSI command-line options, see the
Microsoft Developer Network (MSDN) Library Web site and search for MSI command-line
options. To see MSI command-line usage, you can open a command prompt on the Horizon
component computer and type msiexec /?.
To run a Horizon component installer silently, you begin by silencing the bootstrap program that
extracts the installer into a temporary directory and starts an interactive installation.
VMware, Inc. 44
At the command line, you must enter command-line options that control the installer's bootstrap
program.
Table 4-4. Command-Line Options for a Horizon Component's Bootstrap Program
Option Description
/s Disables the bootstrap splash screen and extraction dialog, which prevents the
display of interactive dialogs.
For example: VMware-Horizon-Connection-Server-y.y.y-xxxxxx.exe /s
The /s option is required to run a silent installation.
/v" Instructs the installer to pass the double-quote-enclosed string that you enter at the
MSI_command_line_options" command line as a set of options for MSI to interpret. You must enclose your
command-line entries between double quotes. Place a double quote after the /v and
at the end of the command line.
For example: VMware-Horizon-Agent-x86-YYMM-y.y.y-xxxxxx.exe /s /
v"command_line_options"
To instruct the MSI installer to interpret a string that contains spaces, enclose the
string in two sets of double quotes. For example, you might want to install the
Horizon component in an installation path name that contains spaces.
For example: VMware-Horizon-Connection-Server-y.y.y-xxxxxx.exe /s /
v"command_line_options INSTALLDIR=""d:\abc\my folder"""
In this example, the MSI installer passes on the installation-directory path and does
not attempt to interpret the string as two command-line options. Note the final
double quote that encloses the entire command line.
The /v"command_line_options" option is required to run a silent installation.
You control the remainder of a silent installation by passing command-line options and MSI
property values to the MSI installer, msiexec.exe. The MSI installer includes the Horizon
component's installation code. The installer uses the values and options that you enter in the
command line to interpret installation choices and setup options that are specific to the Horizon
component.
Table 4-5. MSI Command-Line Options and MSI Properties

MSI Option or
Property Description
/qn Instructs the MSI installer not to display the installer wizard pages.
For example, you might want to install Horizon Agent silently and use only default setup options
and features:
VMware-Horizon-Agent-x86-YYMM-y.y.y-xxxxxx.exe /s /v"/qn"
Alternatively, you can use the /qb option to display a basic progress dialog box in a
noninteractive, automated installation.
The /qn or /qb option is required to run a silent installation.
For information about additional /q parameters, see the Microsoft Dev Center website.
INSTALLDIR Specifies an alternative installation path for the Horizon component.

Use the format INSTALLDIR=path to specify an installation path. You can ignore this MSI
property if you want to install the Horizon component in the default path.
VMware, Inc. 45
Table 4-5. MSI Command-Line Options and MSI Properties (continued)

MSI Option or
ADDLOCAL Determines the component-specific options to install.

In an interactive installation, the Horizon installer displays custom setup options that you can
select or deselect. In a silent installation, you can use the ADDLOCAL property to selectively install
individual setup options by specifying the options on the command line. Options that you do not
explicitly specify are not installed.
In both interactive and silent installations, the Horizon installer automatically installs certain
features. You cannot use ADDLOCAL to control whether or not to install these non-optional
features.
Type ADDLOCAL=ALL to install all custom setup options that can be installed during an interactive
installation, including those that are installed by default and those that you must select to install,
except NGVC. NGVC and SVIAgent are mutually exclusive.
The following example installs Core, BlastProtocol, PCoIP, UnityTouch, VmVideo, PSG, and all
features that are supported on the guest operating system: VMware-Horizon-Agent-x86-YYMM-
y.y.y-xxxxxx.exe /s /v"/qn ADDLOCAL=ALL"
If you do not use the ADDLOCAL property, the custom setup options that are installed by default
and the automatically installed features are installed. Custom setup options that are off
(unselected) by default are not installed.
The following example installs Core, BlastProtocol, PCoIP, UnityTouch, VmVideo, PSG, and the
on-by-default custom setup options that are supported on the guest operating system: VMware-
Horizon-Agent-x86-YYMM-y.y.y-xxxxxx.exe /s /v"/qn"
To specify individual setup options, type a comma-separated list of setup option names. Do not
use spaces between names. Use the format ADDLOCAL=value,value,value....
You must include Core when you use the ADDLOCAL=value,value,value... property.
The following example installs Horizon Agent with the Core, BlastProtocol, PCoIP, UnityTouch,
VmVideo, PSG, and Instant Clone Agent features:
VMware-Horizon-Agent-x86-YYMM-y.y.y-xxxxxx.exe /s /v"/qn ADDLOCAL=Core,NGVC
The preceding example does not install other components, even those that are installed by
default interactively.
The ADDLOCAL MSI property is optional.
REBOOT You can use the REBOOT=ReallySuppress option to allow system configuration tasks to
complete before the system reboots.
REINSTALL You can use the REINSTALL=ALL option to install a Horizon Agent patch.
The following example installs the patch:
msiexec /p VMware-Horizon-Agent-x86_64-YYMM-y.y.y-xxxxxx.msp /qn REINSTALL=ALL
VMware, Inc. 46
Table 4-5. MSI Command-Line Options and MSI Properties (continued)

MSI Option or
REMOVE You can use the REMOVE=<value> option to remove a feature.

The following example uninstalls the USB feature:
VMware-Horizon-Agent-x86-YYMM-y.y.y-xxxxxx.exe /s /v"/qn REMOVE=USB"
/l*v log_file Writes logging information into the specified log file with verbose output.
For example: /l*v ""%TEMP%\vmmsi.log""
This example generates a detailed log file that is similar to the log generated during an
interactive installation.
You can use this option to record custom features that might apply uniquely to your installation.
You can use the recorded information to specify installation features in future silent installations.
The /l*v option is optional.
Uninstalling VMware Horizon Components Silently by Using

MSI Command-Line Options
You can uninstall VMware Horizon components by using Microsoft Windows Installer (MSI)
command-line options.
Syntax
msiexec.exe
/qb
/x
product_code
Options
The /qb option displays the uninstall progress bar. To suppress displaying the uninstall progress
bar, replace the /qb option with the /qn option.
The /x option uninstalls the VMware Horizon component.
The product_code string identifies the VMware Horizon component product files to the MSI
uninstaller. You can find the product_code string by searching for ProductCode in the %TEMP%
\vmmsi.log file that is created during the installation. To find the product_code string that applies
to older versions of VMware Horizon components, see the VMware Knowledge Base (KB) article
at http://kb.vmware.com/kb/2064845.
For information about MSI command-line options, see Microsoft Windows Installer Command-Line
Options.
VMware, Inc. 47
Uninstall a Horizon Agent Example

To uninstall a 32-bit Horizon Agent, enter the following command:
msiexec.exe /qb /x {B23352D8-AD44-4379-A56E-0E337F9C4036}
To uninstall a 64-bit Horizon Agent, enter the following command:
msiexec.exe /qb /x {53D6EE37-6B10-4963-81B1-8E2972A1DA4D}
Add a verbose log to the command.
/l*v "%TEMP%\vmmsi_uninstall.log"
If you do not explicitly pass the /l option, the default verbose log file is %TEMP%\MSInnnn.log,
where nnnn is a four-character GUID.
The Horizon Agent uninstallation process retains some registry keys. These keys are required for
retaining the Connection Server configuration information that enables the remote desktop to
continue being paired with the Connection Server even if the agent is uninstalled and then
reinstalled. Removing these registry keys will break that pairing.
The following registry keys are retained:
n HKLM\SOFTWARE\Microsoft\SystemCertificates\VMware Horizon View Certificates\*
n HKLM\SOFTWARE\Microsoft\SystemCertificates\VMwareView\Certificates\*
n HKLM\SOFTWARE\Microsoft\SystemCertificates\VMwareView\CRLs
n HKLM\SOFTWARE\Microsoft\SystemCertificates\VMwareView\CTLs
n HKLM\SOFTWARE\Policies\VMware, Inc.\VMware VDM\*
n HKLM\SOFTWARE\Policies\VMware, Inc.\Horizon Monitoring Service Agent\*
n HKLM\SOFTWARE\VMware, Inc.\VMware VDM\*
n HKLM\SOFTWARE\Wow6432Node\Microsoft\SystemCertificates\VMware Horizon View Certificates\*
n HKLM\SOFTWARE\Wow6432Node\Microsoft\SystemCertificates\VMwareView\*
n HKLM\SOFTWARE\Wow6432Node\Policies\VMware, Inc.\VMware VDM\*
n HKLM\SOFTWARE\Wow6432Node\Policies\VMware, Inc.\Horizon Monitoring Service Agent\*
n HKLM\SOFTWARE\Wow6432Node\VMware, Inc.
n HKLM\SOFTWARE\Wow6432Node\VMware, Inc.\VMware VDM
VMware, Inc. 48
Configuring TLS Certificates for
VMware Horizon Servers 5
VMware strongly recommends that you configure TLS certificates for authentication of
Connection Server instances.
A default TLS server certificate is generated when you install Connection Server instances. You
can use the default certificate for testing purposes.
Certificates used for communication between Connection Servers and also between Horizon
Agents and Connection Server instances, are replaced using an automatic mechanism, and
cannot be replaced manually. For more details, see the Horizon Security document.
Important Replace the default certificate as soon as possible. The default certificate is not
signed by a Certificate Authority (CA). Use of certificates that are not signed by a CA can allow
untrusted parties to intercept traffic by masquerading as your server.
n Understanding TLS Certificates for VMware Horizon Servers
n Overview of Tasks for Setting Up TLS Certificates
n Obtaining a Signed TLS Certificate from a CA
n Configure Horizon Connection Server to Use a New TLS Certificate
n Configure Client Endpoints to Trust Root and Intermediate Certificates
n Configuring Certificate Revocation Checking on Server Certificates
n Configure the PCoIP Secure Gateway to Use a New TLS Certificate
n Setting Horizon Console to Trust a vCenter Server Certificate
n Accept the Thumbprint of a Default TLS Certificate
n Benefits of Using TLS Certificates Signed by a CA
n Update the Certificates on a Connection Server Instance
n Troubleshooting Certificate Issues on Horizon Connection Server
VMware, Inc. 49
Understanding TLS Certificates for VMware Horizon Servers

You must follow certain guidelines for configuring TLS certificates for VMware Horizon servers
and related components.
Horizon Connection Server

TLS is required for client connections to a server. Client-facing Connection Server instances and
intermediate servers that terminate TLS connections require TLS server certificates.
By default, when you install Connection Server, the installation generates a self-signed certificate
for the server. However, the installation uses an existing certificate in the following cases:
n If a valid certificate with a Friendly name of vdm already exists in the Windows Certificate
Store
n If you upgrade to VMware Horizon from an earlier release, and a valid keystore file is
configured on the Windows Server computer, the installation extracts the keys and
certificates and imports them into the Windows Certificate Store.
vCenter Server
Before you add vCenter Server to VMware Horizon in a production environment, make sure that
vCenter Server uses certificates that are signed by a CA.
For information about replacing the default certificate for vCenter Server, see "Replacing vCenter
Server Certificates" on the VMware Technical Papers site at http://www.vmware.com/resources/
techresources/.
PCoIP Secure Gateway

To comply with industry or jurisdiction security regulations, you can replace the default TLS
certificate that is generated by the PCoIP Secure Gateway (PSG) service with a certificate that is
signed by a CA. Configuring the PSG service to use a CA-signed certificate is highly
recommended, particularly for deployments that require you to use security scanners to pass
compliance testing. See Configure the PCoIP Secure Gateway to Use a New TLS Certificate.
Blast Secure Gateway

By default, the Blast Secure Gateway (BSG) uses the TLS certificate that is configured for the
Connection Server instance on which the BSG is running. If you replace the default, self-signed
certificate for a server with a CA-signed certificate, the BSG also uses the CA-signed certificate.
VMware, Inc. 50
SAML 2.0 Authenticator

VMware Workspace ONE Access uses SAML 2.0 authenticators to provide Web-based
authentication and authorization across security domains. If you want VMware Horizon to
delegate authentication to VMware Workspace ONE Access, you can configure VMware Horizon
to accept SAML 2.0 authenticated sessions from VMware Workspace ONE Access. When
VMware Workspace ONE Access is configured to support VMware Horizon, VMware Workspace
ONE Access users can connect to remote desktops by selecting desktop icons on the Horizon
User Portal.
In Horizon Console, you can configure SAML 2.0 authenticators for use with Connection Server
instances.
Before you add a SAML 2.0 authenticator in Horizon Console, make sure that the SAML 2.0
authenticator uses a certificate that is signed by a CA.
Additional Guidelines
For general information about requesting and using TLS certificates that are signed by a CA, see
Benefits of Using TLS Certificates Signed by a CA.
When client endpoints connect to a Connection Server instance, they are presented with the
server's TLS server certificate and any intermediate certificates in the trust chain. To trust the
server certificate, the client systems must have installed the root certificate of the signing CA.
When Connection Server communicates with vCenter Server, Connection Server is presented
with TLS server certificates and intermediate certificates from this server. To trust the vCenter
Server, the Connection Server computer must have installed the root certificate of the signing
CA.
Similarly, if a SAML 2.0 authenticator is configured for Connection Server, the Connection Server
computer must have installed the root certificate of the signing CA for the SAML 2.0 server
certificate.
Overview of Tasks for Setting Up TLS Certificates

To set up TLS server certificates for VMware Horizon servers, you must perform several high-
level tasks.
In a pod of replicated Connection Server instances, you must perform these tasks on all instances
in the pod.
The procedures for carrying out these tasks are described in the topics that follow this overview.
1 Determine if you need to obtain a new signed TLS certificate from a CA.
VMware, Inc. 51
If your organization already has a valid TLS server certificate, you can use that certificate to
replace the default TLS server certificate provided with Connection Server. To use an existing
certificate, you also need the accompanying private key.
Starting Place Action
Your organization provided you with a valid TLS server Go directly to step 2.
certificate.
You do not have an TLS server certificate. Obtain a signed TLS server certificate from a CA.
2 Import the TLS certificate into the Windows local computer certificate store on the VMware
Horizon server host.
3 For Connection Server instances modify the certificate Friendly name to vdm.
Assign the Friendly name vdm to only one certificate on each VMware Horizon server host.
4 On Connection Server computers, if the root certificate is not trusted by the Windows Server
host, import the root certificate into the Windows local computer certificate store.
In addition, if the Connection Server instances do not trust the root certificates of the TLS
server certificates configured for vCenter Server hosts, you also must import those root
certificates. Take these steps for Connection Server instances only. You do not have to
import the root certificate to vCenter Server hosts.
5 If your server certificate was signed by an intermediate CA, import the intermediate
certificates into the Windows local computer certificate store.
To simplify client configuration, import the entire certificate chain into the Windows local
computer certificate store. If intermediate certificates are missing from the VMware Horizon
server, they must be configured for clients and computers that launch Horizon Console.
6 If your CA is not well known, configure clients to trust the root and intermediate certificates.
Also ensure that the computers on which you launch Horizon Console trust the root and
intermediate certificates.
7 Determine whether to reconfigure certificate revocation checking.
Connection Server performs certificate revocation checking on VMware Horizon servers and
vCenter Server. Most certificates signed by a CA include certificate revocation information. If
your CA does not include this information, you can configure the server not to check
certificates for revocation.
If a SAML authenticator is configured for use with a Connection Server instance, Connection
Server also performs certificate revocation checking on the SAML server certificate.
Obtaining a Signed TLS Certificate from a CA

If your organization does not provide you with an TLS server certificate, you must request a new
certificate that is signed by a CA.
VMware, Inc. 52
You can use several methods to obtain a new signed certificate. For example, you can use the
Microsoft certreq utility to generate a Certificate Signing Request (CSR) and submit a certificate
request to a CA.
See the Scenarios for Setting Up TLS Certificates for Horizon document for an example that
shows you how to use certreq to accomplish this task.
For testing purposes, you can obtain a free temporary certificate based on an untrusted root
from many CAs.
Important You must follow certain rules and guidelines when you obtain signed TLS certificates
from a CA.
n When you generate a certificate request on a computer, make sure that a private key is
generated also. When you obtain the TLS server certificate and import it into the Windows
local computer certificate store, there must be an accompanying private key that
corresponds to the certificate.
n To comply with VMware security recommendations, use the fully qualified domain name
(FQDN) that client devices use to connect to the host. Do not use a simple server name or IP
address, even for communications within your internal domain.
n Do not generate certificates for servers using a KeyLength value under 1024. Client endpoints
will not validate a certificate on a server that was generated with a KeyLength under 1024,
and the clients will fail to connect to the server. Certificate validations that are performed by
Connection Server will also fail, resulting in the affected servers showing as red in the Horizon
Console dashboard.
For general information about obtaining certificates, consult the Microsoft online help available
with the Certificate Snap-in to MMC. If the Certificate Snap-in is not yet installed on your
computer, see Add the Certificate Snap-In to MMC.
Obtain a Signed Certificate from a Windows Domain or Enterprise

CA
To obtain a signed certificate from a Windows Domain or Enterprise CA, you can use the
Windows Certificate Enrollment wizard in the Windows Certificate Store.
This method of requesting a certificate is appropriate if communications between computers

remain within your internal domain. For example, obtaining a signed certificate from a Windows
Domain CA might be appropriate for server-to-server communications.
If your clients connect to VMware Horizon servers from an external network, request TLS server
certificates that are signed by a trusted, third-party CA.
Prerequisites
n Determine the fully qualified domain name (FQDN) that client devices use to connect to the
host.
VMware, Inc. 53
To comply with VMware security recommendations, use the FQDN, not a simple server name
or IP address, even for communications within your internal domain.
n Verify that the Certificate snap-in was added to MMC. See Add the Certificate Snap-In to
MMC.
n Verify that you have the appropriate credentials to request a certificate that can be issued to
a computer or service.
Procedure
1 In the MMC window on the Windows Server host, expand the Certificates (local computer)
node and select the Personal folder.
2 From the Action menu, go to All Tasks > Request New Certificate to display the Certificate
Enrollment wizard.
3 Select a Certificate Enrollment Policy.
4 Select the types of certificates that you want to request, select the Make private key
exportable option, and click Enroll.
5 Click Finish.
Results
The new signed certificate is added to the Personal > Certificates folder in the Windows
Certificate Store.
What to do next
n Verify that the server certificate and certificate chain were imported into the Windows
Certificate Store.
n For a Connection Server instance modify the certificate friendly name to vdm. See Modify the
Certificate Friendly Name.
Configure Horizon Connection Server to Use a New TLS

Certificate
To configure a Connection Server instance to use a TLS certificate, you must import the server
certificate and the entire certificate chain into the Windows local computer certificate store on
the Connection Server host.
In a pod of replicated Connection Server instances, you must import the server certificate and
certificate chain on all instances in the pod.
VMware, Inc. 54
By default, the Blast Secure Gateway (BSG) uses the TLS certificate that is configured for the
Connection Server instance on which the BSG is running. If you replace the default, self-signed
certificate for a VMware Horizon server with a CA-signed certificate, the BSG also uses the CA-
signed certificate.
Important To configure Connection Server to use a certificate, you must change the certificate
Friendly name to vdm. Also, the certificate must have an accompanying private key.
Procedure
1 Add the Certificate Snap-In to MMC

Before you can add certificates to the Windows Certificate Store, you must add the
Certificate snap-in to the Microsoft Management Console (MMC) on the Windows Server
host on which the VMware Horizon server is installed.
2 Import a Signed Server Certificate into a Windows Certificate Store

You must import the TLS server certificate into the Windows local computer certificate store
on the Windows Server host on which Connection Server is installed.
3 Modify the Certificate Friendly Name

To configure a Connection Server instance to recognize and use an TLS certificate, you must
modify the certificate Friendly name to vdm.
4 Import a Root Certificate and Intermediate Certificates into a Windows Certificate Store
If the Windows Server host on which Connection Server is installed does not trust the root
certificate for the signed TLS server certificate, you must import the root certificate into the
Windows local computer certificate store. In addition, if the Connection Server host does not
trust the root certificates of the TLS server certificates configured for vCenter Server hosts,
you also must import those root certificates.
Add the Certificate Snap-In to MMC

Before you can add certificates to the Windows Certificate Store, you must add the Certificate
snap-in to the Microsoft Management Console (MMC) on the Windows Server host on which the
VMware Horizon server is installed.
Prerequisites
Verify that the MMC and Certificate snap-in are available on the Windows Server computer on
which the VMware Horizon server is installed.
Procedure
1 On the Windows Server computer, click Start and type mmc.exe.
2 In the MMC window, go to File > Add/Remove Snap-in.
3 In the Add or Remove Snap-ins window, select Certificates and click Add.
VMware, Inc. 55
4 In the Certificates snap-in window, select Computer account, click Next, select Local
computer, and click Finish.
5 In the Add or Remove snap-in window, click OK.
What to do next
Import the TLS server certificate into the Windows Certificate Store.
Import a Signed Server Certificate into a Windows Certificate Store

You must import the TLS server certificate into the Windows local computer certificate store on
the Windows Server host on which Connection Server is installed.
Depending on your certificate file format, the entire certificate chain that is contained in the
keystore file might be imported into the Windows local computer certificate store. For example,
the server certificate, intermediate certificate, and root certificate might be imported.
For other types of certificate files, only the server certificate is imported into the Windows local
computer certificate store. In this case, you must take separate steps to import the root
certificate and any intermediate certificates in the certificate chain.
For more information about certificates, consult the Microsoft online help available with the
Certificate snap-in to MMC.
Note If you off-load TLS connections to an intermediate server, you must import the same TLS
server certificate onto both the intermediate server and the off-loaded VMware Horizon server.
For details, see "Off-load TLS Connections to Intermediate Servers" in the Scenarios for Setting
Up TLS Certificates for Horizon document.
Prerequisites
Verify that the Certificate snap-in was added to MMC. See Add the Certificate Snap-In to MMC.
Procedure
1 In the MMC window on the Windows Server host, expand the Certificates (Local Computer)
node and select the Personal folder.
2 In the Actions pane, go to More Actions > All Tasks > Import.
3 In the Certificate Import wizard, click Next and browse to the location where the certificate is
stored.
4 Select the certificate file and click Open.
To display your certificate file type, you can select its file format from the File name drop-
down menu.
5 Type the password for the private key that is included in the certificate file.
6 Select Mark this key as exportable.
7 Select Include all extended properties.
VMware, Inc. 56
8 Click Next and click Finish.
The new certificate appears in the Certificates (Local Computer) > Personal > Certificates
folder.
9 Verify that the new certificate contains a private key.
a In the Certificates (Local Computer) > Personal > Certificates folder, double-click the
new certificate.
b In the General tab of the Certificate Information dialog box, verify that the following
statement appears: You have a private key that corresponds to this certificate.
What to do next
Modify the certificate Friendly name to vdm.
Modify the Certificate Friendly Name

To configure a Connection Server instance to recognize and use an TLS certificate, you must
modify the certificate Friendly name to vdm.
Prerequisites
Verify that the server certificate is imported into the Certificates (Local Computer) > Personal >
Certificates folder in the Windows Certificate Store. See Import a Signed Server Certificate into a
Windows Certificate Store.
Procedure
1 In the MMC window on the Windows Server host, expand the Certificates (Local Computer)
node and select the Personal > Certificates folder.
2 Right-click the certificate that is issued to the VMware Horizon server host and click
Properties.
3 On the General tab, delete the Friendly name text and type vdm.
4 Click Apply and click OK.
5 Verify that no other server certificates in the Personal > Certificates folder have a Friendly
name of vdm.
a Locate any other server certificate, right-click the certificate, and click Properties.
b If the certificate has a Friendly name of vdm, delete the name, click Apply, and click OK.
What to do next
Import the root certificate and intermediate certificates into the Windows local computer
certificate store.
After all certificates in the chain are imported, you must restart the Connection Server service to
make your changes take effect.
VMware, Inc. 57
Import a Root Certificate and Intermediate Certificates into a

Windows Certificate Store
If the Windows Server host on which Connection Server is installed does not trust the root
certificate for the signed TLS server certificate, you must import the root certificate into the
Windows local computer certificate store. In addition, if the Connection Server host does not
trust the root certificates of the TLS server certificates configured for vCenter Server hosts, you
also must import those root certificates.
If the Connection Server and vCenter Server certificates are signed by a root CA that is known
and trusted by the Connection Server host, and there are no intermediate certificates in your
certificate chains, you can skip this task. Commonly used Certificate Authorities are likely to be
trusted by the host.
You must import untrusted root certificates on all replicated Connection Server instances in a
pod.
Note You do not have to import the root certificate into vCenter Server hosts.
If a server certificate is signed by an intermediate CA, you also must import each intermediate
certificate in the certificate chain. To simplify client configuration, import the entire intermediate
chain to vCenter Server hosts as well as Connection Server hosts. If intermediate certificates are
missing from a Connection Server host, they must be configured for clients and computers that
launch Horizon Console. If intermediate certificates are missing from a vCenter Server host, they
must be configured for each Connection Server instance.
If you already verified that the entire certificate chain is imported into the Windows local
computer certificate store, you can skip this task.
Note If a SAML authenticator is configured for use by a Connection Server instance, the same
guidelines apply to the SAML 2.0 authenticator. If the Connection Server host does not trust the
root certificate configured for a SAML authenticator, or if the SAML server certificate is signed by
an intermediate CA, you must ensure that the certificate chain is imported into the Windows local
computer certificate store.
Procedure
1 In the MMC console on the Windows Server host, expand the Certificates (Local Computer)
node and go to the Trusted Root Certification Authorities > Certificates folder.
n If your root certificate is in this folder, and there are no intermediate certificates in your
certificate chain, skip to step 7.
n If your root certificate is not in this folder, proceed to step 2.
2 Right-click the Trusted Root Certification Authorities > Certificates folder and click All Tasks
> Import.
3 In the Certificate Import wizard, click Next and browse to the location where the root CA
certificate is stored.
VMware, Inc. 58
4 Select the root CA certificate file and click Open.
5 Click Next, click Next, and click Finish.
6 If your server certificate was signed by an intermediate CA, import all intermediate
certificates in the certificate chain into the Windows local computer certificate store.
a Go to the Certificates (Local Computer) > Intermediate Certification Authorities >

Certificates folder.
b Repeat steps 3 through 6 for each intermediate certificate that must be imported.
7 Restart the Connection Server service or vCenter Server service to make your changes take
effect.
Configure Client Endpoints to Trust Root and Intermediate

Certificates
If a VMware Horizon server certificate is signed by a CA that is not trusted by client computers
and client computers that access Horizon Console, you can configure all Windows client systems
in a domain to trust the root and intermediate certificates. To do so, you must add the public key
for the root certificate to the Trusted Root Certification Authorities group policy in Active
Directory and add the root certificate to the Enterprise NTAuth store.
For example, you might have to take these steps if your organization uses an internal certificate
service.
You do not have to take these steps if the Windows domain controller acts as the root CA, or if
your certificates are signed by a well known CA. For well known CAs, the operating system
venders preinstall the root certificate on client systems.
If your server certificates are signed by a little-known intermediate CA, you must add the
intermediate certificate to the Intermediate Certification Authorities group policy in Active
Directory.
For client devices that use other operating systems than Windows, see the following instructions
for distributing root and intermediate certificates that users can install:
n For Horizon Client for Mac, see Configure Horizon Client for Mac to Trust Root and
Intermediate Certificates.
n For Horizon Client for iOS, see Configure Horizon Client for iOS to Trust Root and
Intermediate Certificates.
n For Horizon Client for Android, see documentation on the Google Web site, such as the
Android User's Guide
n For Horizon Client for Linux, see the Ubuntu documentation
VMware, Inc. 59
Prerequisites
Verify that the server certificate was generated with a KeyLength value of 1024 or larger. Client
endpoints will not validate a certificate on a server that was generated with a KeyLength under
1024, and the clients will fail to connect to the server.
Procedure
1 On your Active Directory server, use the certutil command to publish the certificate to the
Enterprise NTAuth store.
For example: certutil -dspublish -f path_to_root_CA_cert NTAuthCA
3 Expand the Computer Configuration section and go to Windows Settings > Security
Settings > Public Key Policies.
4 Import the certificate.
Option Description
Root certificate a Right-click Trusted Root Certification Authorities and select Import.
b Follow the prompts in the wizard to import the root certificate (for
example, rootCA.cer) and click OK.
Intermediate certificate a Right-click Intermediate Certification Authorities and select Import.

b Follow the prompts in the wizard to import the intermediate certificate
(for example, intermediateCA.cer) and click OK.
Results
All systems in the domain now have certificate information in their trusted root certificate stores
and intermediate certificate stores that allows them to trust the root and intermediate
certificates.
Configure Horizon Client for Mac to Trust Root and Intermediate

Certificates
If a server certificate is signed by a CA that is not trusted by computers that run Horizon Client
for Mac, you can configure these computers to trust the root and intermediate certificates. You
must distribute the root certificate and all intermediate certificates in the trust chain to the client
computers.
VMware, Inc. 60
Procedure
1 Deliver the root certificate and intermediate certificates to the computer that is running
Horizon Client for Mac.
2 Open the root certificate on the Mac computer.
The certificate displays the following message: Do you want your computer to trust
certificates signed by CA name from now on?
3 Click Always Trust
4 Type the user password.
5 Repeat steps 2 through 4 for all intermediate certificates in the trust chain.
Configure Horizon Client for iOS to Trust Root and Intermediate

Certificates
If a server certificate is signed by a CA that is not trusted by iPads and iPhones that run Horizon
Client for iOS, you can configure the device to trust the root and intermediate certificates. You
must distribute the root certificate and all intermediate certificates in the trust chain to the
devices.
Procedure
1 Send the root certificate and intermediate certificates as email attachments to the iPad.
2 Open the email attachment for the root certificate and select Install.
The certificate displays the following message:
Unverifiable Profile. The authenticity of Certificate name cannot be verified. Installing this
profile will change settings on your iPad.
Root Certificate. Installing the certificate Certificate name will add it to the list of trusted
certificates on your iPad.
3 Select Install again.
4 Repeat steps 2 and 3 for all intermediate certificates in the trust chain.
Configuring Certificate Revocation Checking on Server

Certificates
Each Connection Server instance performs certificate revocation checking on its own certificate.
Each instance also checks the certificates of vCenter Server whenever it establishes a connection
to vCenter Server. By default, all certificates in the chain are checked except the root certificate.
You can, however, change this default.
If a SAML 2.0 authenticator is configured for use by a Connection Server instance, Connection
Server also performs certificate revocation checking on the SAML 2.0 server certificate.
VMware, Inc. 61
VMware Horizon supports various means of certificate revocation checking, such as certificate
revocation lists (CRLs) and the Online Certificate Status Protocol (OCSP). A CRL is a list of
revoked certificates published by the CA that issued the certificates. OCSP is a certificate
validation protocol that is used to get the revocation status of an X.509 certificate.
With CRLs, the list of revoked certificates is downloaded from a certificate distribution point (DP)
that is often specified in the certificate. The server periodically goes to the CRL DP URL specified
in the certificate, downloads the list, and checks it to determine whether the server certificate has
been revoked. With OCSP, the server sends a request to an OCSP responder to determine the
revocation status of the certificate.
When you obtain a server certificate from a third-party certificate authority (CA), the certificate
includes one or more means by which its revocation status can be determined, including, for
example, a CRL DP URL or the URL for an OCSP responder. If you have your own CA and
generate a certificate but do not include revocation information in the certificate, the certificate
revocation check fails. An example of revocation information for such a certificate could include,
for example, a URL to a Web-based CRL DP on a server where you host a CRL.
If you have your own CA but do not or cannot include certificate revocation information in your
certificate, you can choose not to check certificates for revocation or to check only certain
certificates in a chain. On the server, with the Windows Registry Editor, you can create the string
(REG_SZ) value CertificateRevocationCheckType, under HKLM\Software\VMware, Inc.\VMware
VDM\Security, and set this value to one of the following data values.
Value Description
1 Do not perform certificate revocation checking.
2 Check only the server certificate. Do not check any other certificates in the chain.
3 Check all certificates in the chain.
4 (Default) Check all certificates except the root certificate.
If this registry value is not set, or if the value set is not valid (that is, if the value is not 1, 2, 3, or 4),
all certificates are checked except the root certificate. Set this registry value on each server on
which you intend to modify revocation checking. You do not have to restart the system after you
set this value.
Note If your organization uses proxy settings for Internet access, you might have to configure
your Connection Server computers to use the proxy settings to ensure that certificate revocation
checking can be performed for Connection Server instances that are used for secure client
connections. If a Connection Server instance cannot access the Internet, certificate revocation
checking might fail, and the Connection Server instance might show up as red on the Horizon
Console dashboard. For more information, see Troubleshooting Certificate Issues on Horizon
Connection Server.
VMware, Inc. 62
Configure the PCoIP Secure Gateway to Use a New TLS

Certificate
To comply with industry or jurisdiction security regulations, you can replace the default TLS
certificate that is generated by the PCoIP Secure Gateway (PSG) service with a certificate that is
signed by a CA.
In VMware Horizon, the PSG service creates a default, self-signed TLS certificate when the
service starts up. The PSG service presents the self-signed certificate to clients running Horizon
Client 5.2 for Windows or later releases that connect to the PSG.
The PSG also provides a default legacy TLS certificate that is presented to clients running older
clients or earlier releases that connect to the PSG.
The default certificates provide secure connections from client endpoints to the PSG and do not
require further configuration in Horizon Console. However, configuring the PSG service to use a
CA-signed certificate is highly recommended, particularly for deployments that require you to
use security scanners to pass compliance testing.
Although it is not required, you are most likely to configure new CA-signed TLS certificates for
your servers before you replace the default PSG certificate with a CA-signed certificate. The
procedures that follow assume that you already imported a CA-signed certificate into the
Windows certificate store for the server on which the PSG is running.
Note If you are using a security scanner for compliance testing, you might want to start by
setting the PSG to use the same certificate as the server and scan the VMware Horizon port
before the PSG port. You can resolve trust or validation issues that occur during the scan of the
View port to ensure that these issues do not invalidate your test of the PSG port and certificate.
Next, you can configure a unique certificate for the PSG and do another scan.
Procedure
1 Verify That the Server Name Matches the PSG Certificate Subject Name
When a Connection Server instance is installed, the installer creates a registry setting with a
value that contains the FQDN of the computer. You must verify that this value matches the
server name part of the URL that security scanners use to reach the PSG port. The server
name also must match the subject name or a subject alternate name (SAN) of the TLS
certificate that you intend to use for the PSG.
2 Configure a PSG Certificate in the Windows Certificate Store

To replace the default PSG certificate with a CA-signed certificate, you must configure the
certificate and its private key in the Windows local computer certificate store on the
Connection Server computer on which the PSG is running.
3 Set the PSG Certificate Friendly Name in the Windows Registry

The PSG identifies the TLS certificate to use by means of the server name and certificate
Friendly name. You must set the Friendly name value in the Windows registry on the
Connection Server computer on which the PSG is running.
VMware, Inc. 63
4 (Optional) Force a CA-Signed Certificate to Be Used for Connections to the PSG

You can ensure that all client connections to the PSG use the CA-signed certificate for the
PSG instead of the default legacy certificate. This procedure is not required to configure a
CA-signed certificate for the PSG. Take these steps only if it makes sense to force the use of
a CA-signed certificate in your VMware Horizon deployment.
Verify That the Server Name Matches the PSG Certificate Subject
Name
When a Connection Server instance is installed, the installer creates a registry setting with a value
that contains the FQDN of the computer. You must verify that this value matches the server
name part of the URL that security scanners use to reach the PSG port. The server name also
must match the subject name or a subject alternate name (SAN) of the TLS certificate that you
intend to use for the PSG.
For example, if a scanner connects to the PSG with the URL https://view.customer.com:4172,
the registry setting must have the value view.customer.com. Note that the FQDN of the
Connection Server computer that is set during installation might not be the same as this external
server name.
Procedure
1 Start the Windows Registry Editor on the Connection Server host where the PCoIP Secure
Gateway is running.
2 Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Teradici\SecurityGateway\SSLCertPsgSni

registry setting.
3 Verify that the value of the SSLCertPsgSni setting matches the server name in the URL that
scanners will use to connect to the PSG and matches the subject name or a subject alternate
name of the TLS certificate that you intend to install for the PSG.
If the value does not match, replace it with the correct value.
4 To make your changes take effect, restart the VMware Horizon PCoIP Secure Gateway
service.
What to do next
Import the CA-signed certificate into the Windows local computer certificate store and configure
the certificate Friendly name.
Configure a PSG Certificate in the Windows Certificate Store

To replace the default PSG certificate with a CA-signed certificate, you must configure the
certificate and its private key in the Windows local computer certificate store on the Connection
Server computer on which the PSG is running.
VMware, Inc. 64
If you intend the PSG to use a unique certificate, you must import the certificate into the
Windows local computer certificate store with an exportable private key and set the appropriate
Friendly name.
If you intend the PSG to use the same certificate as the server, you do not have to follow this
procedure. However, in the Windows registry you must set the server name to match the server
certificate subject name and set the Friendly name to vdm.
Prerequisites
n Verify that the key length is at least 1024 bits.
n Verify that the TLS certificate is valid. The current time on the server computer must be
within the certificate start and end dates.
n Verify that the certificate subject name or a subject alternate name matches the
SSLCertPsgSni setting in the Windows registry. See Verify That the Server Name Matches
the PSG Certificate Subject Name.
n Verify that the Certificate snap-in was added to MMC. See Add the Certificate Snap-In to
MMC.
n Familiarize yourself with importing a certificate into the Windows certificate store. See Import
a Signed Server Certificate into a Windows Certificate Store.
n Familiarize yourself with modifying the certificate Friendly name. See Modify the Certificate
Friendly Name.
Procedure
1 In the MMC window on the Windows Server host, open the Certificates (Local Computer) >
Personal folder.
2 Import the TLS certificate that is issued to the PSG by selecting More Actions > All Tasks >
Import.
Select the following settings in the Certificate Import wizard:
a Mark this key as exportable
b Include all extendable properties
Complete the wizard to finish importing the certificate into the Personal folder
3 Verify that the new certificate contains a private key by taking one of these steps:
n Verify that a yellow key appears on the certificate icon.
n Double-click the certificate and verify that the following statement appears in the
Certificate Information dialog box: You have a private key that corresponds to this
certificate..
4 Right-click the new certificate and click Properties.
VMware, Inc. 65
5 On the General tab, delete the Friendly name text and type the Friendly name that you have
chosen.
Make sure that you enter exactly the same name in the SSLCertWinCertFriendlyName setting
in the Windows registry, as described in the next procedure.
6 Click Apply and click OK.
Results
The PSG presents the CA-signed certificate to client devices that connect to the server over
PCoIP.
Note This procedure does not affect legacy client devices. The PSG continues to present the
default legacy certificate to legacy client devices that connect the this server over PCoIP.
What to do next
Configure the certificate Friendly name in the Windows registry.
Set the PSG Certificate Friendly Name in the Windows Registry

The PSG identifies the TLS certificate to use by means of the server name and certificate Friendly
name. You must set the Friendly name value in the Windows registry on the Connection Server
computer on which the PSG is running.
The certificate Friendly name vdm is used by all Connection Server instances. By contrast, you
can configure your own certificate Friendly name for the PSG certificate. You must configure a
Windows registry setting to enable the PSG to match the correct name with the Friendly name
that you will set in the Windows certificate store.
The PSG can use the same TLS certificate as the server on which the PSG is running. If you
configure the PSG to use the same certificate as the server, the Friendly name must be vdm.
The Friendly name value, in both the registry and the Windows certificate store, is case sensitive.
Prerequisites
n Verify that the Window registry contains the correct subject name that is used to reach the
PSG port and that matches the PSG certificate subject name or subject alternate name. See
Verify That the Server Name Matches the PSG Certificate Subject Name.
n Verify that the certificate Friendly name is configured in the Windows local computer
certificate store. See Configure a PSG Certificate in the Windows Certificate Store.
Procedure
1 Start the Windows Registry Editor on the Connection Server computer where the PCoIP
Secure Gateway is running.
2 Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Teradici\SecurityGateway registry key.
3 Add a new String (REG_SZ) value, SSLCertWinCertFriendlyName, to this registry key.
VMware, Inc. 66
4 Modify the SSLCertWinCertFriendlyName value and type the certificate Friendly name to be
used by the PSG.
For example: pcoip

If you use the same certificate as the server, the value must be vdm.
service.
What to do next
Verify that client devices continue to connect to the PSG.
If you are using a security scanner for compliance testing, scan the PSG port.
Force a CA-Signed Certificate to Be Used for Connections to the PSG

You can ensure that all client connections to the PSG use the CA-signed certificate for the PSG
instead of the default legacy certificate. This procedure is not required to configure a CA-signed
certificate for the PSG. Take these steps only if it makes sense to force the use of a CA-signed
certificate in your VMware Horizon deployment.
In some cases, the PSG might present the default legacy certificate instead of the CA-signed
certificate to a security scanner, invalidating the compliance test on the PSG port. To resolve this
issue, you can configure the PSG not to present the default legacy certificate to any device that
attempts to connect.
Important Performing this procedure prevents all legacy clients from connecting to this server
over PCoIP.
Prerequisites
Verify that all client devices that connect to this server, including thin clients, run Horizon Client
5.2 for Windows or Horizon Client or later releases. You must upgrade the legacy clients.
Procedure
3 Add a new String (REG_SZ) value, SSLCertPresentLegacyCertificate, to this registry key.
4 Set the SSLCertPresentLegacyCertificate value to 0.
service.
VMware, Inc. 67
Setting Horizon Console to Trust a vCenter Server

Certificate
In the Horizon Console dashboard, you can configure VMware Horizon to trust a vCenter Server
certificate that is untrusted.
VMware strongly recommends that you configure vCenter Server to use TLS certificates that are
signed by a CA. Alternatively, you can accept the thumbprint of the default certificate for
vCenter Server.
Similarly, VMware recommends that you configure SAML 2.0 authenticators to use TLS
certificates that are signed by a CA. Alternatively, in the Horizon Console dashboard you can
configure VMware Horizon to trust an untrusted SAML 2.0 server certificate by accepting the
thumbprint of the default certificate.
Accept the Thumbprint of a Default TLS Certificate

When you add vCenter Server instances to VMware Horizon, you must ensure that the TLS
certificates that are used for vCenter Server are valid and trusted by Connection Server. If the
default certificates that are installed with vCenter Server are still in place, you must determine
whether to accept these certificates' thumbprints.
If a vCenter Server is configured with a certificate that is signed by a CA, and the root certificate
is trusted by Connection Server, you do not have to accept the certificate thumbprint. No action
is required.
If you replace a default certificate with a certificate that is signed by a CA, but Connection Server
does not trust the root certificate, you must determine whether to accept the certificate
thumbprint. A thumbprint is a cryptographic hash of a certificate. The thumbprint is used to
quickly determine if a presented certificate is the same as another certificate, such as the
certificate that was accepted previously.
For details about configuring TLS certificates, see Chapter 5 Configuring TLS Certificates for
VMware Horizon Servers.
You first add vCenter Server in Horizon Console by using the Add vCenter Server wizard. If a
certificate is untrusted and you do not accept the thumbprint, you cannot add vCenter Server.
After these servers are added, you can reconfigure them in the Edit vCenter Server dialog box.
Note You also must accept a certificate thumbprint when you upgrade from an earlier release
and a vCenter Server certificate is untrusted, or if you replace a trusted certificate with an
untrusted certificate.
On the Horizon Console dashboard, the vCenter Server icon turns red and an Invalid Certificate
Detected dialog box appears. In Horizon Console, click Settings > Servers and select the vCenter
Server. Then, click Edit in the vCenter Server settings and follow the prompts to verify the and
accept the self-signed certificate.
VMware, Inc. 68
Similarly, in Horizon Console you can configure a SAML authenticator for use by a Connection
Server instance. If the SAML server certificate is not trusted by Connection Server, you must
determine whether to accept the certificate thumbprint. If you do not accept the thumbprint, you
cannot configure the SAML authenticator in VMware Horizon. After a SAML authenticator is
configured, you can reconfigure it in the Edit Connection Server dialog box.
Procedure
1 When Horizon Console displays an Invalid Certificate Detected dialog box, click View
Certificate.
2 Examine the certificate thumbprint in the Certificate Information window.
3 Examine the certificate thumbprint that was configured for the vCenter Server .
a On the vCenter Server host, start the MMC snap-in and open the Windows Certificate
Store.
b Navigate to the vCenter Server certificate.
c Click the Certificate Details tab to display the certificate thumbprint.

Similarly, examine the certificate thumbprint for a SAML authenticator. If appropriate, take the
preceding steps on the SAML authenticator host.
4 Verify that the thumbprint in the Certificate Information window matches the thumbprint for
the vCenter Server.
Similarly, verify that the thumbprints match for a SAML authenticator.
5 Determine whether to accept the certificate thumbprint.
Option Description
The thumbprints match. Click Accept to use the default certificate.
The thumbprints do not match. Click Reject.

Troubleshoot the mismatched certificates. For example, you might have
provided an incorrect IP address for vCenter Server.
Benefits of Using TLS Certificates Signed by a CA

A CA is a trusted entity that guarantees the identity of the certificate and its creator. When a
certificate is signed by a trusted CA, users no longer receive messages asking them to verify the
certificate, and thin client devices can connect without requiring additional configuration.
You can request an TLS server certificate that is specific to a Web domain such as
www.mycorp.com, or you can request a wildcard TLS server certificate that can be used
throughout a domain such as *.mycorp.com. To simplify administration, you might choose to
request a wildcard certificate if you need to install the certificate on multiple servers or in
different subdomains.
VMware, Inc. 69
Typically, domain-specific certificates are used in secure installations, and CAs usually guarantee
more protection against losses for domain-specific certificates than for wildcard certificates. If
you use a wildcard certificate that is shared with other services, the security of the VMware
Horizon product also depends on the security of those other services. If you use a wildcard
certificate, you must ensure that the private key is transferable between servers.
When you replace the default certificate with your own certificate, clients use your certificate to
authenticate the server. If your certificate is signed by a CA, the certificate for the CA itself is
typically embedded in the browser or is located in a trusted database that the client can access.
After a client accepts the certificate, it responds by sending a secret key, which is encrypted with
the public key contained in the certificate. The secret key is used to encrypt traffic between the
client and the server.
Update the Certificates on a Connection Server Instance

When you receive updated server TLS certificates or intermediate certificates, you import the
certificates into the Windows local computer certificate store on each Connection host.
Typically, server certificates expire after 12 months. Root and intermediate certificates expire
after 5 or 10 years.
Prerequisites
n Obtain updated server and intermediate certificates from the CA before the currently valid
certificates expire.
n Verify that the Certificate snap-in was added to MMC on the Windows Server on which the
Connection Server instance was installed.
Procedure
1 Import the signed TLS server certificate into the Windows local computer certificate store on
the Windows Server host.
a In the Certificate snap-in, import the server certificate into the Certificates (Local
Computer) > Personal > Certificates folder.
b Select Mark this key as exportable.
c Click Next and click Finish.
2 For Connection Server, delete the certificate Friendly name, vdm, from the old certificate that
was issued to the VMware Horizon server.
a Right-click the old certificate and click Properties
b On the General tab, delete the Friendly name text, vdm.
VMware, Inc. 70
3 For Connection Server, add the certificate Friendly name, vdm, to the new certificate that is
replacing the previous certificate.
a Right-click the new certificate and click Properties
b On the General tab, in the Friendly name field, type vdm.
c Click Apply and click OK.
4 If intermediate certificates are issued to a Connection Server host, import the most recent
update to the intermediate certificates into the Certificates (Local Computer) > Intermediate
Certification Authorities > Certificates folder in the Windows certificate store.
5 Restart the VMware Horizon Connection Server service to make your changes take effect.
Troubleshooting Certificate Issues on Horizon Connection

Server
Certificate issues on a Connection Server server prevent you from connecting to Horizon Console
or cause a red health indicator to be displayed for a server.
Problem
You cannot connect to Horizon Console on the Connection Server instance with the problem.
When you connect to Horizon Console on another Connection Server instance in the same pod,
you see that the dashboard health indicator is red for the problem Connection Server instance.
From the other Connection Server instance, clicking the red health indicator displays SSL
Certificate: Invalid and Status: (blank), indicating that a valid certificate could not be found.
The VMware Horizon log file contains a log entry of type ERROR with the following error text: No
qualifying certificates in keystore.
The VMware Horizon log data is in <Drive Letter>:\ProgramData\VMware\log

\ConnectionServer on the Connection Server instance.
Note This file path is a symbolic link that redirects to the actual location of the log files, which is
<Drive Letter>:\ProgramData\VMware\VDM\logs.
Cause
A certificate might not be installed successfully on a VMware Horizon server for any of the
following reasons:
n The certificate is not in the Personal folder in the Windows local computer certificate store.
n The certificate store does not have a private key for the certificate.
n The certificate does not have a friendly name of vdm.
n The certificate was generated from a v3 certificate template, for a Windows Server 2008 or
later server. VMware Horizon cannot detect a private key, but if you use the Certificate snap-
in to examine the Windows certificate store, the store indicates that there is a private key.
VMware, Inc. 71
Solution
u Verify that the certificate is imported into the Personal folder in the Windows local computer
certificate store.
See Import a Signed Server Certificate into a Windows Certificate Store.
u Verify that the certificate contains a private key.
See Import a Signed Server Certificate into a Windows Certificate Store.
u Verify that the certificate has a friendly name of vdm.
See Modify the Certificate Friendly Name.
u If the certificate was generated from a v3 certificate template, obtain a valid, signed
certificate from a CA that does not use a v3 template.
See Obtaining a Signed TLS Certificate from a CA.
VMware, Inc. 72
Configuring VMware Horizon for
the First Time 6
After you install the VMware Horizon server software and configure SSL certificates for the
servers, you must take a few additional steps to set up a working VMware Horizon environment.
You configure user accounts for vCenter Server, install a VMware Horizon license key or install
Horizon Cloud Connector if you have a subscription license, add vCenter Server to your VMware
Horizon environment, configure the PCoIP Secure Gateway and secure tunnel, and, optionally,
size Windows Server settings to support your VMware Horizon environment.
n Configuring an Instant Clone Domain Administrator in Active Directory
n Configuring User Accounts for vCenter Server
n Configuring Horizon Connection Server for the First Time
n Configuring Horizon Client Connections
n Replacing Default Ports for VMware Horizon Services
n Sizing Windows Server Settings to Support Your Deployment
Configuring an Instant Clone Domain Administrator in Active

Directory
When you configure VMware Horizon for the first time and want to use instant clones, you will
need to provide an instant-clone user, called the instant-clone domain administrator in Horizon
Console.
The instant-clone domain administrator is a user account in Active Directory that allows
Connection Server to perform certain operations related to instant clones in Active Directory.
Connection Server requires this account to join instant-clone virtual machines to your Active
Directory domain. See Create a User Account for Instant-Clone Operations.
After you create and configure this instant-clone domain administrator account, you can specify
the user name in Horizon Console.
VMware, Inc. 73
Configuring User Accounts for vCenter Server

To use vCenter Server with VMware Horizon, you must also configure a user account with
appropriate vCenter Server privileges. You can create a vCenter Server role with the appropriate
privileges and assign that role to the vCenter Server user account.
The list of privileges that you must add to the vCenter Server role varies, depending on whether
you use VMware Horizon with or without instant clones. You specify a vCenter Server user when
you add vCenter Server to VMware Horizon.
Configure a vCenter Server User for VMware Horizon

To configure a user account that allows VMware Horizon to perform operations in vCenter
Server, you must assign a vCenter Server role with appropriate privileges to that user.
Prerequisites
n In Active Directory, create a user in the Connection Server domain or a trusted domain. See
Creating a User Account for vCenter Server.
Procedure
1 In vCenter Server, prepare a role with the required privileges for the user.
n You can use the predefined Administrator role in vCenter Server. This role can perform all
operations in vCenter Server including instant-clone operations.
n If you want to use a more limited role than the predefined Administrator role in vCenter
Server and you do not plan to use instant clones, you can create a role with the minimum
privileges needed by Connection Server to perform vCenter Server operations. In
vSphere Client, click Home > Roles > Add Role, enter a role name such as
Horizon Administrator, and select privileges for the role.
See Privileges Required for the vCenter Server User Without Instant Clones.
n If you want to use a more limited role than the predefined Administrator role in vCenter
Server and you plan to use instant clones, you can create a role with the minimum
privileges needed by Connection Server to perform vCenter Server operations and
instant-clone operations. In vSphere Client, click Home > Roles > Add Role, enter a role
name such as Horizon Instant Clone Administrator, and select privileges for the role.
For vCenter Server privileges that include instant-clone privileges, see Privileges Required
for the vCenter Server User With Instant Clones.
2 In vSphere Client, right-click the vCenter Server at the top level of the inventory, click Add
Permission, and add the vCenter Server user.
Note You must define the vCenter Server user at the vCenter Server level.
3 From the drop-down menu, select the Administrator role, or the custom Horizon
Administrator role that you created, and assign it to the vCenter Server user.
VMware, Inc. 74
What to do next
In Horizon Console, when you add vCenter Server to VMware Horizon, specify the vCenter Server
user. See Add vCenter Server Instances to VMware Horizon.
Privileges Required for the vCenter Server User Without Instant

Clones
The vCenter Server user must have sufficient vCenter Server privileges to enable Horizon to
perform operations in vCenter Server. Create a Horizon Administrator role for the vCenter Server
user with the required privileges. These privileges are only applicable if you do not intend to use
instant clones.
Table 6-1. Minimum vCenter Server Privileges Required for the Horizon Administrator Role
Without Instant Clones
Privilege Group Privileges to Enable
Folder Create Folder

Delete Folder
Datastore Allocate space
Virtual Machine In Configuration:

n Add or remove device
n Advanced
n Modify device settings
In Interaction:
n Power Off
n Power On
n Reset
n Suspend
n Perform wipe or shrink operations
In Inventory:
n Create new
n Create from existing
n Remove
In Provisioning:
n Customize
n Deploy template
n Read customization specifications
n Clone Template
n Clone Virtual Machine
Resource Assign virtual machine to resource pool
Global Act as vCenter Server
Host In Configuration:
n Advanced settings
VMware, Inc. 75
Table 6-1. Minimum vCenter Server Privileges Required for the Horizon Administrator Role
Without Instant Clones (continued)
Privilege Group Privileges to Enable
Profile Driven Storage (If you are using vSAN datastores (all)
or Virtual Volumes)
Cryptographic operations The following privileges are required if you use full clone
VMs with a Trusted Platform Module (vTPM) device.
n Clone
n Decrypt
n Direct Access
n Encrypt
n Manage KMS
n Migrate
n Register Host
Privileges Required for the vCenter Server User With Instant Clones
To support instant clones, the vCenter Server user must have privileges in addition to those
required to support VMware Horizon.
Table 6-2. Minimum vCenter Server Privileges Required for the Horizon Administrator Role with
Instant Clones
Privilege Group on vCenter Server Privileges to Enable
Folder Create folder

Delete folder
Datastore Allocate space

Browse datastore
Host In Inventory
n Modify Cluster
In Configuration
n Advanced settings
VMware, Inc. 76
Instant Clones (continued)
Virtual machine In Configuration (all)

n Add or remove device
n Advanced
n Modify device settings
n Change CPU count
n Change memory
n Change settings
n Change resource
n Configure Host USB device
n Configure raw device
n Configure managedby
n Display connection settings
n Extend virtual disk
n Query fault tolerance compatibility
n Query unowned files
n Reload from path
n Remove disk
n Rename
n Reset guest information
n Set annotation
n Toggle disk change tracking
n Toggle fork parent
n Upgrade virtual machine compatibility
In Interaction:
n Power Off
n Power On
n Reset
n Suspend
n Perform wipe or shrink operations
n Device connection
In Inventory (all)
n Move
n Register
n Unregister
In Snapshot management (all)
n Create snapshot
n Remove snapshot
n Rename snapshot
n Revert snapshot
In Provisioning:
n Customize
n Deploy template
n Read customization specifications
VMware, Inc. 77
Instant Clones (continued)
n Clone template
n Clone Virtual Machine
n Allow disk access
Resource Assign virtual machine to resource pool

HotMigrate
Global Enable methods

Disable methods
Manage custom attributes
Set custom attribute
Act as vCenter Server
Network Assign
Profile Driven Storage (all--If you are using vSAN datastores or Virtual Volumes)
Storage views Not required
Cryptographic operations The following privileges are required if you use instant
clones VMs with a Trusted Platform Module (vTPM)
device.
n Clone
n Decrypt
n Direct Access
n Encrypt
n Manage KMS
n Migrate
n Register Host
Configuring Horizon Connection Server for the First Time

After you install Connection Server, you can configure it based on your requirements.
Horizon Console and Horizon Connection Server

Horizon Console provides a Web-based management interface for VMware Horizon.
Horizon Connection Server can have multiple instances that also serve as replica servers.
Typically a Connection Server and associated replica servers have a single Horizon Console.
Depending on your VMware Horizon deployment, you can get a Horizon Console interface with
each instance of a Connection Server. For ease of management, VMware recommends
configuring one Horizon Console interface per Horizon pod, which consists of a Connection
Server and associated replica servers.
VMware, Inc. 78
Use the following best practices to use Horizon Console with a Connection Server:
n Use the host name and IP address of the Connection Server to log in to Horizon Console. Use
the Horizon Console interface to manage the Connection Server, and any associated replica
servers.
n In a pod environment, verify that all administrators use the host name and IP address of the
same Connection Server to log in to Horizon Console. Do not use the host name and IP
address of the load balancer to access a Horizon Console web page.
n To identify the CPA pod or cluster name of the Connection Server you are working with, you
can view the pod or cluster name in the Horizon Console header and in the web browser tab.
Note If you use Unified Access Gateway appliances, you must use the Unified Access Gateway
REST API to manage the Unified Access Gateway appliances. For more information, see the
Deploying and Configuring VMware Unified Access Gateway available at https://
docs.vmware.com/en/Unified-Access-Gateway/index.html.
Log In to Horizon Console

To perform desktop or application pool deployment tasks, or monitoring and troubleshooting
tasks, you must log in to Horizon Console. You access Horizon Console by using a secure (TLS)
connection.
Prerequisites
n Verify that Horizon Connection Server is installed on a dedicated computer.
n Verify that you are using a Web browser supported by Horizon Console. For more
information about supported Web browsers, see the Horizon Installation document.
Procedure
1 Open your Web browser and enter the following URL, where server is the host name of the
Connection Server instance.
https://server/admin
Note You can use the IP address if you have to access a Connection Server instance when
the host name is not resolvable. However, the contacted host will not match the TLS
certificate that is configured for the Connection Server instance, resulting in blocked access
or access with reduced security. VMware recommends using the FQDN instead of the IP
address.
Your access to Horizon Console depends on the type of certificate that is configured on the
Connection Server computer.
VMware, Inc. 79
If you open your Web browser on the Connection Server host, use https://127.0.0.1 to
connect, not https://localhost. This method improves security by avoiding potential DNS
attacks on the localhost resolution.
Note If you use an older Web browser such as Internet Explorer 11, a pop-up window
appears that displays the Web browsers you should use for the best user experience for
Horizon Console. You can also click on your preferred Web browser in the pop-up window to
download the Web browser.
Option Description
You configured a certificate signed When you first connect, your Web browser displays the VMware Horizon
by a CA for Connection Server. page.
The default, self-signed certificate When you first connect, your Web browser might display a page warning
supplied with Connection Server is that the security certificate associated with the address is not issued by a
configured. trusted certificate authority.
Click Ignore to continue using the current TLS certificate.
2 Log in as a user with credentials to access the Administrators account.
You make an initial assignment to the Administrators role when you install a standalone
Connection Server instance or the first Connection Server instance in a replicated group. By
default, the account that you use to install Connection Server is selected, but you can change
this account to the Administrators local group or to a domain global group.
If you chose the Administrators local group, then you can use any domain user added to this
group directly or through global group membership. You cannot use local users added to this
group.
3 Optionally, to remember the user name for every login, select Remember user name.
4 Click Sign In.
What to do next
You can also right-click any link in Horizon Console to open in another web browser tab.
Install the Perpetual Product License Key in Horizon Console

If you use a perpetual license, you must enter a product license key.
Note The product license key is not required if you have a VMware Horizon subscription license.
For more information about subscription licenses, see Enabling VMware Horizon for Subscription
Licenses and Horizon Control Plane Services.
VMware, Inc. 80
You do not have to configure a license key when you install a replicated Connection Server
instance. Replicated instances use the common license key stored in the Horizon LDAP
configuration.
Note Connection Server requires a valid license key. The product license key is a 25-character
key.
Procedure
1 In Horizon Console, select Settings > Product Licensing and Usage.
2 In the Licensing Settings panel, click Edit License.
3 Enter the license serial number and click OK.
4 Verify the license expiration date.
5 Verify that the component licenses are enabled or disabled, based on the edition of VMware
Horizon that your product license entitles you to use.
Enabling VMware Horizon for Subscription Licenses and Horizon

Control Plane Services
If you are using a subscription license, you can enable your VMware Horizon deployment to
connect to the Horizon Control Plane. You can optionally use the SaaS services provided by the
Horizon Control Plane. You must first use the Horizon Cloud Connector virtual appliance to
connect your VMware Horizon deployment with the Horizon Control Plane.
Subscription Licenses for VMware Horizon

VMware Horizon subscription licenses are available through the Horizon universal license, which
is available standalone and as part of the Workspace ONE Enterprise bundle.
The VMware Horizon subscription license provides the same VMware Horizon product
components with more flexible deployment options. While the perpetual license only allows you
to deploy VMware Horizon on-premises or in private datacenters, the Horizon subscription
license gives the following additional benefits:
n Ability to deploy into public clouds with VMware SDDC service such as VMware Cloud on
AWS, Azure VMware Solution, Google VMware Cloud Engine, and Oracle VMware Cloud
Solution.
n Services available through the Horizon Control Plane.
Note The subscription license for VMware Horizon is managed by VMware only after you
deploy the Horizon Cloud Connector virtual appliance. You will not receive the license key for
VMware VMware Horizon with this subscription license. However, you will receive license keys
for vSphere, vCenter Server, vSAN, App Volumes, and Dynamic Environment Manager with this
subscription license. You will receive these keys in an email with the following subject: Welcome
to VMware Horizon On-Premises Subscription.
VMware, Inc. 81
Horizon Control Plane for Horizon Pods

After you configure the Horizon Cloud Connector virtual appliance to connect your pod to the
Horizon Control Plane, you have the option to leverage the management, features, and
workflows that are provided by Horizon Control Plane and which are available to you according
to that subscription license. For information about those services, see Introduction to Horizon
Cloud in the VMware Control Plane documentation.
Horizon Cloud Connector and Horizon Control Plane can be used for any Horizon pods, whether
they are deployed on-premises or in public clouds.
Note For multi-location pods, Horizon assigns the deployment type of the connection server as
the pod type and the location of the connection server as the pod location.
Horizon Cloud Connector

The Horizon Cloud Connector is a virtual appliance that is deployed alongside the Horizon pod
and pairs the Horizon pod with the Horizon Control Plane. Horizon Cloud Connector is a required
component that bridges your Horizon pods with VMware Horizon Cloud Service.
You must have an active My VMware account to purchase a VMware Horizon license from
https://my.vmware.com. You then receive an email with the link to download the Horizon Cloud
Connector as an OVA file.
When you deploy the Horizon Cloud Connector virtual appliance from vSphere Client, the
Horizon Cloud Connector virtual appliance connects the Connection Server to Horizon Control
Plane to manage the VMware Horizon subscription license and other services. With a VMware
Horizon subscription license, you do not need to manually enter a VMware Horizon license key
for the VMware VMware Horizon product activation. However, you do need to use the license
keys to activate supporting components such as vSphere, vCenter Server, App Volumes, and
others.
Note The Horizon Cloud Connector virtual appliance does not support an IPv6 environment.
For more information about deploying the Horizon Cloud Connector virtual appliance and
completing that connection between a Horizon pod with Horizon Control Plane, see the following
topics in the Horizon Control Plane documentation:
n End-to-End Workflow When Your Very First Cloud-Connected Pod is from Connecting
Horizon Cloud with an Existing Manually Deployed Horizon Pod
n Connect Horizon Cloud with an Existing Manually Deployed Horizon Pod
Add vCenter Server Instances to VMware Horizon

If you plan to deploy VMware Horizon on a VMware virtualization platform, you must configure
VMware Horizon to connect to the vCenter Server instances in your VMware Horizon
deployment. vCenter Server creates and manages the virtual machines that VMware Horizon
uses in desktop pools.
VMware, Inc. 82
If you run vCenter Server instances in a Linked Mode group, you must add each vCenter Server
instance to VMware Horizon separately. Horizon supports one or multiple vCenter Servers added
to the same Horizon pod, as well as a single vCenter Server across multiple Horizon pods in a
Cloud Pod Architecture environment.
VMware Horizon connects to the vCenter Server instance using a secure channel (TLS).
Prerequisites
n Install the Horizon perpetual license key. Or if you are using a subscription license, deploy the
Horizon Cloud Connector to enable your subscription license.
n Prepare a vCenter Server user with permission to perform the operations in vCenter Server
that are necessary to support VMware Horizon.
n Verify that there is a TLS server certificate installed on the vCenter Server host. In a
production environment, install a valid certificate that is signed by a trusted Certificate
Authority (CA).
In a testing environment, you can use the default certificate that is installed with vCenter
Server, but you must accept the certificate thumbprint when you add vCenter Server to
VMware Horizon.
n Verify that all Connection Server instances in the replicated group trust the root CA
certificate for the server certificate that is installed on the vCenter Server host. Check if the
root CA certificate is in the Trusted Root Certification Authorities > Certificates folder in the
Windows local computer certificate stores on the Connection Server hosts. If it is not, import
the root CA certificate into the Windows local computer certificate stores.
See Import a Root Certificate and Intermediate Certificates into a Windows Certificate Store.
n Verify that the vCenter Server instance contains ESXi hosts. If no hosts are configured in the
vCenter Server instance, you cannot add the instance to VMware Horizon.
n Verify that the domain administrator account that you use as the vCenter Server user was
explicitly assigned permissions to log in to vCenter Server by a vCenter Server local user.
n Familiarize yourself with the settings that determine the maximum operations limits for
vCenter Server.
Procedure
1 In Horizon Console, navigate to Settings > Servers.
2 On the vCenter Server tab, click Add.
VMware, Inc. 83
3 In the vCenter Server Settings Server address text box, enter the fully qualified domain name
(FQDN) of the vCenter Server instance.
The FQDN includes the host name and the domain name. For example, in the FQDN
myserverhost.companydomain.com, myserverhost is the host name and companydomain.com is
the domain.
Note If you enter a server by using a DNS name or URL, VMware Horizon does not perform
a DNS lookup to verify whether an administrator previously added this server to VMware
Horizon by using its IP address. A conflict arises if you add a vCenter Server with both its DNS
name and its IP address.
4 Enter the name of the vCenter Server user.
For example: domain\user or user@domain.com
5 Enter the vCenter Server user password.
6 (Optional) Enter a description for this vCenter Server instance.
7 Enter the TCP port number.
The default port is 443.
8 Select the deployment type for your vCenter from the drop-down menu.
Deployment Type Description
AWS vCenter is deployed on VMware Cloud on AWS
Azure vCenter is deployed on Azure VMware Solution
DELLEMC vCenter is deployed on VMware Cloud on Dell EMC
Google vCenter is deployed on Google Cloud VMware Engine
Oracle vCenter is deployed on Oracle Cloud VMware Solution
General vCenter is deployed on-premises or in an environment not listed above
9 Under Advanced Settings, set the concurrent operations limits for vCenter Server operations.
10 Click Next and follow the prompts to complete the wizard.
What to do next
If VMware Horizon uses multiple vCenter Server instances, repeat this procedure to add the other
vCenter Server instances.
Register Gateways in Horizon Console

Horizon Clients connect through a gateway or Unified Access Gateway appliance that you
register in Horizon Console.
You can register or unregister gateways in Horizon Console. To unregister the gateway, select
the gateway or Unified Access Gateway appliance and click Unregister.
VMware, Inc. 84
Procedure
1 In Horizon Console, select Settings > Servers.
2 On the Gateways tab, click Register.
3 Enter the FQDN of the gateway or Unified Access Gateway appliance.
4 Click OK.
Add an Instant-Clone Domain Administrator

Before you create an instant-clone desktop pool, you must add an instant-clone domain
administrator to VMware Horizon.
For more information about configuring an instant-clone domain administrator in Active

Directory, see Configuring an Instant Clone Domain Administrator in Active Directory.
Procedure
1 In Horizon Console, select Settings > Domains > Instant Clone Engine Domain Accounts.
2 Click Add.
3 Enter the domain, user name, and password for of the instant-clone domain administrator.
Configuring View Storage Accelerator for vCenter Server

You can enable View Storage Accelerator on desktop pools that contain instant clones and
desktop pools that contain full virtual machines. This feature uses the Content Based Read Cache
(CBRC) feature in ESXi hosts. Instead of reading the entire OS or application from the storage
system over and over, a host can read common data blocks from cache.
CBRC uses ESXi host memory to cache virtual machine disk data, thus reducing IOPS required
and improve performance during boot storms, when many machines start up or run anti-virus
scans at once. By reducing the number of IOPS during boot storms, View Storage Accelerator
lowers the demand on the storage array, which lets you use less storage I/O bandwidth to
support your Horizon deployment. The feature is also beneficial when administrators or users
load applications or data frequently.
You can enable or disable View Storage Accelerator globally and then enable or disable it for
individual desktop pools. The steps to enable or disable View Storage Accelerator are different
for instant-clone desktop pools and desktop pools that contain full virtual machines.
Important If you plan to use this feature and you are using multiple Horizon pods that share
some ESXi hosts, you must enable the View Storage Accelerator feature for all pools that are on
the shared ESXi hosts. Having inconsistent settings in multiple pods can cause instability of the
virtual machines on the shared ESXi hosts.
Note Native NFS snapshot technology (VAAI) and VVOL are not supported in pools that are
enabled for View Storage Accelerator.
VMware, Inc. 85
Enable View Storage Accelerator Globally in Horizon Console

You can enable View Storage Accelerator globally for all desktop pools.
Prerequisites
n Verify that the vCenter Server user was assigned the Host > Configuration > Advanced
settings privilege in vCenter Server.
See Configuring User Accounts for vCenter Server.
Procedure
1 In Horizon Console, navigate to Settings > Servers.
2 On the vCenter Server tab, click Add and complete the Add vCenter Server wizard pages
that precede the Storage Settings page.
3 On the Storage Settings page, select Enable View Storage Accelerator.
This option is selected by default.
4 Specify a default host cache size.
The default cache size applies to all ESXi hosts that are managed by this vCenter Server
instance.
The default value is 1,024MB. The cache size must be between 100MB and 32,768MB.
5 To specify a different cache size for an individual ESXi host, select an ESXi host and click Edit
cache size.
a In the Host cache dialog box, check Override default host cache size.
b Type a Host cache size value between 100MB and 32,768MB and click OK.
6 On the Storage Settings page, click Next.
7 After reviewing the settings on the Ready to Complete page, click Submit.
Enabling View Storage Accelerator for Individual Desktop Pools

For instant clone pools, View Storage Accelerator is only needed for replica virtual machines.
This is enabled automatically for individual pools and cannot be turned off on a pool level.
To complete View Storage Accelerator settings in VMware Horizon, configure View Storage
Accelerator for desktop pools. See "Configure View Storage Accelerator for Desktop Pools" in
the Setting Up Virtual Desktops in Horizon document.
To disable, you must disable View Storage Accelerator globally. See Enable View Storage
Accelerator Globally in Horizon Console. However, this would also disable the feature for desktop
pools that contain full virtual machines as well.
VMware, Inc. 86
For desktop pools that contain full virtual machines, View Storage Accelerator is enabled for
desktop pools by default. The feature can be disabled or enabled when you create or edit a pool.
The best approach is to enable this feature when you first create a desktop pool. See "Configure
View Storage Accelerator for Desktop Pools" in the Setting Up Virtual Desktops in Horizon
document.
Concurrent Operations Limits for vCenter Server

When you add vCenter Server to VMware Horizon or edit the vCenter Server settings, you can
configure several options that set the maximum number of concurrent operations that are
performed by vCenter Server.
You configure these options in the Advanced Settings panel on the vCenter Server Settings
page in the Add vCenter Server wizard.
Table 6-3. Concurrent Operations Limits for vCenter Server
Setting Description
Max concurrent vCenter Determines the maximum number of concurrent requests that Connection Server
provisioning operations can make to provision and delete full virtual machines in this vCenter Server
instance.
The default value is 20.
This setting applies to automated pools of full virtual machines only.
Max concurrent power Determines the maximum number of concurrent power operations (startup,
operations shutdown, suspend, and so on) that can take place on virtual machines managed by
Connection Server in this vCenter Server instance.
For guidelines for calculating a value for this setting, see Setting a Concurrent Power
Operations Rate to Support Remote Desktop Logon Storms
This setting applies to automated pools of full virtual machines.
Max concurrent maintenance Determines the maximum number of concurrent maintenance operations that can
operations take place.
Remote desktops that have active sessions must be logged off before a
maintenance operation can begin. If you force users to log off as soon as a
maintenance operation begins, the maximum number of concurrent operations on
remote desktops that require logoffs is half the configured value. For example, if
you configure this setting as 24 and force users to log off, the maximum number of
concurrent operations on remote desktops that require logoffs is 12.
This setting applies to instant clones.
Max concurrent Instant Clone Determines the maximum number of concurrent creation and deletion operations
Engine operations that can take place on instant clones managed by this vCenter Server instance.
This setting applies to instant clones only.
VMware, Inc. 87
Setting a Concurrent Power Operations Rate to Support Remote

Desktop Logon Storms
The Max concurrent power operations setting governs the maximum number of concurrent
power operations that can occur on remote desktop virtual machines in a vCenter Server
instance. This limit is set to 50 by default. You can change this value to support peak power-on
rates when many users log on to their desktops at the same time.
As a best practice, you can conduct a pilot phase to determine the correct value for this setting.
For planning guidelines, see "Architecture Design Elements and Planning Guidelines" in the
Horizon Architecture Planning document.
The required number of concurrent power operations is based on the peak rate at which
desktops are powered on and the amount of time it takes for the desktop to power on, boot, and
become available for connection. In general, the recommended power operations limit is the total
time it takes for the desktop to start multiplied by the peak power-on rate.
For example, the average desktop takes two to three minutes to start. Therefore, the concurrent
power operations limit should be 3 times the peak power-on rate. The default setting of 50 is
expected to support a peak power-on rate of 16 desktops per minute.
The system waits a maximum of five minutes for a desktop to start. If the start time takes longer,
other errors are likely to occur. To be conservative, you can set a concurrent power operations
limit of 5 times the peak power-on rate. With a conservative approach, the default setting of 50
supports a peak power-on rate of 10 desktops per minute.
Logons, and therefore desktop power on operations, typically occur in a normally distributed
manner over a certain time window. You can approximate the peak power-on rate by assuming
that it occurs in the middle of the time window, during which about 40% of the power-on
operations occur in 1/6th of the time window. For example, if users log on between 8:00 AM and
9:00 AM, the time window is one hour, and 40% of the logons occur in the 10 minutes between
8:25 AM and 8:35 AM. If there are 2,000 users, 20% of whom have their desktops powered off,
then 40% of the 400 desktop power-on operations occur in those 10 minutes. The peak power-
on rate is 16 desktops per minute.
Accept the Thumbprint of a Default TLS Certificate

When you add vCenter Server instances to VMware Horizon, you must ensure that the TLS
certificates that are used for the vCenter Server are valid and trusted by Connection Server. If the
default certificates that are installed with vCenter Server are still in place, you must determine
whether to accept these certificates' thumbprints.
If a vCenter Server instance is configured with a certificate that is signed by a CA, and the root
certificate is trusted by Connection Server, you do not have to accept the certificate thumbprint.
No action is required.
VMware, Inc. 88
If you replace a default certificate with a certificate that is signed by a CA, but Connection Server
does not trust the root certificate, you must determine whether to accept the certificate
thumbprint. A thumbprint is a cryptographic hash of a certificate. The thumbprint is used to
quickly determine if a presented certificate is the same as another certificate, such as the
certificate that was accepted previously.
Note If you install vCenter Server on the same Windows Server host, they can use the same TLS
certificate, but you must configure the certificate separately for each component.
For details about configuring TLS certificates, see Chapter 5 Configuring TLS Certificates for
VMware Horizon Servers.
You first add vCenter Server in Horizon Console by using the Add vCenter Server wizard. If a
certificate is untrusted and you do not accept the thumbprint, you cannot add vCenter Server
and vCenter Server.
After these servers are added, you can reconfigure them in the Edit vCenter Server dialog box.
Note You also must accept a certificate thumbprint when you upgrade from an earlier release
and a vCenter Server certificate is untrusted, or if you replace a trusted certificate with an
untrusted certificate.
Procedure
1 When Horizon Console displays an Invalid Certificate Detected dialog box, click View
Certificate.
2 Examine the certificate thumbprint in the Certificate Information window.
3 Examine the certificate thumbprint that was configured for the vCenter Server instance.
a On the vCenter Server host, start the MMC snap-in and open the Windows Certificate
Store.
b Navigate to the vCenter Server certificate.
c Click the Certificate Details tab to display the certificate thumbprint.

Similarly, examine the certificate thumbprint for a SAML authenticator. If appropriate, take the
preceding steps on the SAML authenticator host.
4 Verify that the thumbprint in the Certificate Information window matches the thumbprint for
the vCenter Server instance.
Similarly, verify that the thumbprints match for a SAML authenticator.
VMware, Inc. 89
5 Determine whether to accept the certificate thumbprint.
Option Description
The thumbprints match. Click Accept to use the default certificate.
The thumbprints do not match. Click Reject.

Troubleshoot the mismatched certificates. For example, you might have
provided an incorrect IP address for vCenter Server.
Configuring Horizon Client Connections

Client endpoints communicate with a Connection Server host over secure connections.
The initial client connection, which is used for user authentication and remote desktop and
application selection, is created over HTTPS when a user provides a domain name to Horizon
Client. If firewall and load balancing software are configured correctly in your network
environment, this request reaches the Connection Server host. With this connection, users are
authenticated and a desktop or application is selected, but users have not yet connected to the
remote desktop or application.
When users connect to remote desktops and applications, by default the client makes a second
connection to the Connection Server host. This connection is called the tunnel connection
because it provides a secure tunnel for carrying RDP and other data over HTTPS.
When users connect to remote desktops and applications with the PCoIP display protocol, the
client can make a further connection to the PCoIP Secure Gateway on the Connection Server
host. The PCoIP Secure Gateway ensures that only authenticated users can communicate with
remote desktops and applications over PCoIP.
You can also provide secure connections to users connect to remote desktops and applications
with the VMware Blast display protocol and to external users who use HTML Access to connect
to remote desktops. The Blast Secure Gateway ensures that only authenticated users can
communicate with remote desktops.
Depending on the type of client device being used, additional channels are established to carry
other traffic such as USB redirection data to the client device. These data channels route traffic
through the secure tunnel if it is enabled.
When the secure tunnel and secure gateways are disabled, desktop and application sessions are
established directly between the client device and the remote machine, bypassing the
Connection Server host. This type of connection is called a direct connection.
Desktop and application sessions that use direct connections remain connected even if
Connection Server is no longer running.
Typically, to provide secure connections for external clients that connect to a Connection Server
host over a WAN, you enable the secure tunnel, the PCoIP Secure Gateway, and the Blast Secure
Gateway. You can disable the secure tunnel and the secure gateways to allow internal, LAN-
connected clients to establish direct connections to remote desktops and applications.
VMware, Inc. 90
If you enable only the secure tunnel or only one secure gateway, a session might use a direct
connection for some traffic but send other traffic through the Connection Server host, depending
on the type of client being used.
TLS is required for all client connections to Connection Server hosts.
Configure the Secure Tunnel and PCoIP Secure Gateway

When the secure tunnel is enabled, Horizon Client makes a second HTTPS connection to the
Connection Server when users connect to a remote desktop.
When the PCoIP Secure Gateway is enabled, Horizon Client makes a further secure connection to
the Connection Server host when users connect to a remote desktop with the PCoIP display
protocol.
Note If you use Unified Access Gateway appliances, you must disable the secure gateways on
Connection Server instances and enable these gateways on the Unified Access Gateway
appliances. For more information, see the Deploying and Configuring VMware Unified Access
Gateway document available at https://docs.vmware.com/en/Unified-Access-Gateway/
index.html.
When the secure tunnel or PCoIP Secure Gateway is not enabled, a session is established directly
between the client system and the remote desktop virtual machine, bypassing the Connection
Server. This type of connection is called a direct connection.
Important In a network configuration in which external clients connect directly to a Connection

Server host, you enable or disable the secure tunnel and PCoIP Secure Gateway by editing that
Connection Server instance in Horizon Console.
Procedure
2 On the Connection Servers tab, select a Connection Server instance and click Edit.
3 On the General tab, configure use of the secure tunnel.
Option Description
Enable the secure tunnel Select Use Secure Tunnel connection to machine.
Disable the secure tunnel Deselect Use Secure Tunnel connection to machine.
The secure tunnel is enabled by default.
4 Configure use of the PCoIP Secure Gateway.
Option Description
Enable the PCoIP Secure Gateway Select Use PCoIP Secure Gateway for PCoIP connections to machine
Disable the PCoIP secure Gateway Deselect Use PCoIP Secure Gateway for PCoIP connections to machine
VMware, Inc. 91
The PCoIP Secure Gateway is disabled by default.
Configure the Blast Secure Gateway

In Horizon Console, you can configure the use of the Blast Secure Gateway to provide secure
access to remote desktops and applications, either through HTML Access or through client
connections that use the VMware Blast display protocol.
The Blast Secure Gateway includes Blast Extreme Adaptive Transport (BEAT) networking, which
dynamically adjusts to network conditions such as varying speeds and packet loss.
n Blast Secure Gateway supports BEAT networking only when running on a Unified Access
Gateway appliance.
n Horizon Clients using IPv4 and Horizon Clients using IPv6 can be handled concurrently on TCP
port 8443 and on UDP port 8443 (for BEAT) when connecting to a Unified Access Gateway
appliance version 3.3 or later.
n Horizon Clients that use a typical network condition must connect to a Connection Server
(BSG disabled) or versions later than 2.8 of an Unified Access Gateway appliance. If Horizon
Client uses a typical network condition to connect to a Connection Server (BSG enabled) or
versions earlier than 2.8 of an Unified Access Gateway appliance, the client automatically
senses the network condition and falls back to TCP networking.
n Horizon Clients that use a poor network condition must connect to version 2.9 or later of an
Unified Access Gateway appliance (with UDP Tunnel Server Enabled). If Horizon Client uses a
poor network condition to connect to the Connection Server (BSG enabled) or versions
earlier than 2.8 of an Unified Access Gateway appliance, the client automatically senses the
network condition and falls back to TCP networking.
n Horizon Clients that use a poor network condition to connect to Connection Server (BSG
disabled) or version 2.9 or later of Unified Access Gateway appliance (without UDP Tunnel
Server Enabled), or version 2.8 of Unified Access Gateway appliance, the client automatically
senses the network condition and falls back to the typical network condition.
For more information, see the Horizon Client documentation at https://docs.vmware.com/en/

VMware-Horizon-Client/index.html.
Note If you use Unified Access Gateway appliances, you must disable the secure gateways on
Connection Server instances and enable these gateways on the Unified Access Gateway
appliances. For more information, see the Deploying and Configuring VMware Unified Access
Gateway document available at https://docs.vmware.com/en/Unified-Access-Gateway/
index.html.
When the Blast Secure Gateway is not enabled, client devices and client Web browsers use the
VMware Blast Extreme protocol to establish direct connections to remote desktop virtual
machines and applications, bypassing the Blast Secure Gateway.
VMware, Inc. 92
Prerequisites
If users select remote desktops by using VMware Workspace ONE Access, verify that VMware
Workspace ONE Access is installed and configured for use with Connection Server and that
Connection Server is paired with a SAML 2.0 Authentication server.
Procedure
2 On the Connection Servers tab, select a Connection Server instance and click Edit.
3 Configure use of the Blast Secure Gateway.
Option Description
Enable the Blast Secure Gateway Select Use Blast Secure Gateway for Blast connections to machine
Enable the Blast Secure Gateway for Select Use Blast Secure Gateway for only HTML Access Blast connections
HTML Access to machine
Disable the Blast Secure Gateway Select Do not use Blast Secure Gateway
The Blast Secure Gateway is enabled by default.
Set the External URLs for Horizon Connection Server Instances

You can use Horizon Console to configure the external URLs for Connection Server instances.
By default, a Connection Server host can be contacted only by tunnel clients that reside within
the same network. Tunnel clients that run outside of your network must use a client-resolvable
URL to connect to a Connection Server host.
When users connect to remote desktops with the PCoIP display protocol, Horizon Client can
make a further connection to the PCoIP Secure Gateway on the Connection Server host. To use
the PCoIP Secure Gateway, a client system must have access to an IP address that allows the
client to reach the Connection Server host. You specify this IP address in the PCoIP external URL.
A third URL allows users to make secure connections through the Blast Secure Gateway.
The secure tunnel external URL, PCoIP external URL, and Blast external URL must be the
addresses that client systems use to reach this host.
Prerequisites
n Verify that the secure tunnel connections and the PCoIP Secure Gateway are enabled on the
Connection Server instance. See Configure the Secure Tunnel and PCoIP Secure Gateway.
n To set the Blast external URL, verify that the Blast Secure Gateway is enabled on the
Connection Server instance. See Configure the Blast Secure Gateway.
Procedure
VMware, Inc. 93
2 On the Connection Servers tab, select the Connection Server instance and click Edit.
3 Type the secure tunnel external URL in the External URL text box.
The URL must contain the protocol, client-resolvable host name and port number.
For example: https://horizon.example.com:443
Note You can use the IP address if you have to access a Connection Server instance when
the host name is not resolvable. However, the host that you contact will not match the TLS
certificate that is configured for the Connection Server instance, resulting in blocked access
or access with reduced security.
4 Type the PCoIP Secure Gateway external URL in the PCoIP External URL text box.
Specify the PCoIP external URL as an IP address with the port number 4172. Do not include a
protocol name.
For example: 10.20.30.40:4172
The URL must contain the IP address and port number that a client system can use to reach
this Connection Server instance.
5 Type the Blast Secure Gateway external URL in the Blast External URL text box.
The URL must contain the HTTPS protocol, client-resolvable host name, and port number.
For example: https://myserver.example.com:8443
By default, the URL includes the FQDN of the secure tunnel external URL and the default port
number, 8443. The URL must contain the FQDN and port number that a client system can use
to reach this host.
6 Verify that all addresses in this dialog allow client systems to reach this host.
Results
The external URLs are updated immediately. You do not need to restart the Connection Server
for the changes to take effect.
Give Preference to DNS Names When Horizon Connection Server

Returns Address Information
By default, when sending the addresses of desktop machines and RDS hosts to clients and
gateways, Horizon Connection Server gives preference to IP addresses. You can change this
default behavior with an LDAP attribute that tells Horizon Connection Server to give preference
to DNS names. In certain environments, having Connection Server return DNS names to clients
and gateways can provide additional flexibility in designing a network infrastructure.
The LDAP attribute affects clients that run Horizon Client for Windows, HTML Access, and secure
gateways on Connection Server instances.
VMware, Inc. 94
Prerequisites
See the Microsoft TechNet Web site for information on how to use the ADSI Edit utility on your
Windows Server operating system version.
Procedure
1 Start the ADSI Edit utility on your Connection Server computer.
2 In the console tree, select Connect to.
3 In the Select or type a Distinguished Name or Naming Context text box, type the
distinguished name DC=vdi, DC=vmware, DC=int.
4 In the Select or type a domain or server text box, select or type localhost:389 or the fully
qualified domain name (FQDN) of the Connection Server computer followed by port 389.
For example: localhost:389 or mycomputer.mydomain.com:389
5 On the object CN=Common, OU=Global, OU=Properties, set the pae-PreferDNS attribute

value to 1.
When this attribute is set to 1, Connection Server returns a DNS name, if a DNS name is
available and the recipient supports name resolution. Otherwise, Connection Server returns
an IP address, if an IP address of the correct type for your environment (IPv4 or IPv6) is
available.
When this attribute is not set or is set to 0, Connection Server returns an IP address, if an IP
address of the correct type is available. Otherwise, an IP address compatibility error is
returned.
Allow HTML Access Through a Load Balancer

Connection Server instances that are directly behind a load balancer or load-balanced gateway
must know the address by which browsers will connect to the load balancer when users use
HTML Access.
For Connection Server instances that are directly behind a gateway, perform the procedure
described in Allow HTML Access Through a Gateway.
You must perform this procedure for each Connection Server that is behind the load balancer or
load-balanced gateway.
Procedure
1 Create or edit the locked.properties file in the gateway configuration folder on the
Connection Server host.
For example: install_directory\VMware\VMware View\Server\sslgateway\conf

\locked.properties
VMware, Inc. 95
2 Add the balancedHost property and set it to the address of the load balancer.
For example, if users type https://view.example.com in a browser to reach any of the load-
balanced Connection Servers, add balancedHost=view.example.com to the
locked.properties file.
3 Save the locked.properties file.
4 Restart the Connection Server service to make your changes take effect.
Allow HTML Access Through a Gateway

Connection Server instances that are directly behind a gateway, such as Unified Access Gateway,
must know the address by which browsers will connect to the gateway when users use HTML
Access.
For Connection Server instances that are behind a load-balancer or load-balanced gateway,
perform the procedure described in Allow HTML Access Through a Load Balancer.
You must perform this procedure for each Connection Server that is behind the gateway.
Procedure
Connection Server host.

\locked.properties
2 Add the portalHost property and set it to the address of the gateway.
For example, if https://view-gateway.example.com is the address that browsers use to

access VMware Horizon through the gateway, add portalHost=view-gateway.example.com
to the locked.properties file.
If the Connection Server instance is behind multiple gateways, you can specify each gateway
by adding a number to the portalHost property, for example:
portalHost.1=view-gateway-1.example.com
portalHost.2=view-gateway-2.example.com
You must also specify multiple portalHost properties if a single gateway machine is known
by more than one name.
3 Save the locked.properties file.
Configure the VMware Horizon Web Portal Page for End Users
You can configure the VMware Horizon Web Portal page to show or hide the icon for
downloading Horizon Client, the icon for connecting to a remote desktop through HTML Access,
and other links.
VMware, Inc. 96
By default, the VMware Horizon Web Portal page shows both an icon for downloading and
installing Horizon Client and an icon for connecting through HTML Access. The default values
defined in the portal-links-html-access.properties file determine the download link that
appears on the VMware Horizon Web Portal page.
Sometimes, you might want the links on the VMware Horizon Web Portal page to point to an
internal web server, or you might want to make specific client versions available on your own
server. You can reconfigure the VMware Horizon Web Portal page to point to a different
download URL by modifying the contents of the portal-links-html-access.properties file. If
that file is unavailable or is empty, and the oslinks.properties file exists, the
oslinks.properties file is determines the link value for the installer file.
The oslinks.properties file is installed in the installation-directory\VMware\VMware View

\Server\broker\webapps\portal\WEB-INF directory. If this file is missing during the HTML
Access session, the download link directs users to https://www.vmware.com/go/viewclients by
default. The file contains the following default values.
link.download=https://www.vmware.com/go/viewclients
# download Links for particular platforms
link.win32=https://www.vmware.com/go/viewclients#win32
link.win64=https://www.vmware.com/go/viewclients#win64
link.linux32=https://www.vmware.com/go/viewclients#linux32
link.linux64=https://www.vmware.com/go/viewclients#linux64
link.mac=https://www.vmware.com/go/viewclients#mac
link.ios=https://itunes.apple.com/us/app/vmware-view-for-ipad/id417993697
link.android=https://play.google.com/store/apps/details?id=com.vmware.view.client.android
link.chromeos=https://play.google.com/store/apps/details?id=com.vmware.view.client.android
link.winmobile=https://www.microsoft.com/en-us/store/p/vmware-horizon-client/9nblggh51p19
You can define installer links for specific client operating systems in the portal-links-html-
access.properties file or the oslinks.properties file. For example, if you browse to the
VMware Horizon Web Portal page from a macOS system, the link for the Horizon Client for Mac
installer appears. For Linux clients, you can make separate links for 32-bit and 64-bit installers.
For Chrome clients, you can substitute the link to Horizon Client for Chrome in the Chrome Web
Store (https://chrome.google.com/webstore/detail/vmware-horizon-client-for/
ppkfnjlimknmjoaemnpidmdlfchhehel).
Procedure
1 On the Connection Server host, use a text editor to open the portal-links-html-
access.properties file CommonAppDataFolder\VMware\VDM\portal\portal-links-html-
access.properties directory.
The CommonAppDataFolder directory is usually in the C:\ProgramData directory. To show

the C:\ProgramData folder in Windows Explorer, use the Folder Options dialog box to show
hidden folders.
VMware, Inc. 97
If the portal-links-html-access.properties file does not exist, but the

oslinks.properties file does exist, open the <installation-directory>\VMware\VMware View
\Server\broker\webapps\portal\WEB-INF\oslinks.properties file to modify the URLs to
use for downloading specific installer files.
2 Edit the configuration properties.
By default, both the installer icon and the HTML Access icon are enabled and a link points to
the client download page on the VMware website. To disable an icon, which removes the
icon from the web page, set the property to false.
Note The oslinks.properties file can be used only to configure the links to the specific
installer files.
Option Property Setting
Disable HTML Access enable.webclient=false

If this option is set to false, but the enable.download option is set to true, the
user is taken to a web page for downloading the native Horizon Client
installer. If both options are set to false, the user sees the following
message: "Contact your local administrator for instructions on
accessing this Connection Server."
Disable downloading Horizon Client enable.download=false

If this option is set to false, but the enable.webclient option is set to true, the
user is taken to the HTML Access login web page. If both options are set to
false, the user sees the following message: "Contact your local
administrator for instructions on accessing this Connection
Server."
Change the URL of the Web page link.download=https://url-of-web-server

for downloading Horizon Client Use this property if you plan to create your own web page.
VMware, Inc. 98
Option Property Setting
Create links for specific installers The following examples show full URLs. If you place the installer files in the
downloads directory, which is under the C:\Program Files\VMware\VMware
View\Server\broker\webapps\ directory on the Connection Server host,
you can use relative URLs as described in the next step.
n General link to download installer:
link.download=https://server/downloads
n 32-bit Windows installer:
link.win32=https://server/downloads/VMware-Horizon-Client-
x86-build#.exe
n 64-bit Windows installer:
link.win64=https://server/downloads/VMware-Horizon-Client-
x86_64-build#.exe
n Windows Phone installer:
link.winmobile=https://server/downloads/VMware-Horizon-
Client-build#.appx
n 32-bit Linux installer:
link.linux32=https://server/downloads/VMware-Horizon-Client-
build#.x86.bundle
n 64-bit Linux installer:
link.linux64=https://server/downloads/VMware-Horizon-Client-
build#.x64.bundle
n macOS installer:
link.mac=https://server/downloads/VMware-Horizon-Client-
build#.dmg
n iOS installer:
link.ios=https://server/downloads/VMware-Horizon-Client-
iPhoneOS-build#.ipa
n Android installer:
link.android=https://server/downloads/VMware-Horizon-Client-
AndroidOS-build#.apk
Change the URL for the Help link in link.help

the login page By default, this link points to a help system hosted on the VMware website.
The Help link appears at the bottom of the login page.
VMware, Inc. 99
3 To have users download installers from a location other than the VMware website, place the
installer files on the HTTP server where the installer files reside.
This location must correspond to the URLs that you specified in the portal-links-html-
access.properties file or in the oslinks.properties file from the previous step. For
example, to place the files in a downloads directory on the Connection Server host, use the
following path.
C:\Program Files\VMware\VMware View\Server\broker\webapps\downloads
The links to the installer files can then use relative URLs with the format /downloads/client-
installer-file-name.
4 Restart the Horizon Web Component service.
Replacing Default Ports for VMware Horizon Services

During installation, VMware Horizon services are set up to listen on certain network ports by
default. In certain organizations, these ports must be changed to comply with organization
policies or to avoid contention. You can change the default ports that are used by Connection
Server and PCoIP Secure Gateway.
Changing ports is an optional setup task. Use the default ports if your deployment does not
require you to change them.
For a list of the default TCP and UDP ports that are used by VMware Horizon servers, see the
Horizon Security document.
Replace the Default HTTP Ports or NICs for Horizon Connection

Server Instances
You can replace the default HTTP ports or NICs for a Connection Server instance by editing the
locked.properties file on the server computer. Your organization might require you to perform
these tasks to comply with organization policies or to avoid contention.
The default SSL port is 443. The default non-SSL port is 80.
The port that is specified in the secure tunnel External URL does not change as a result of
changes that you make to ports in this procedure. Depending on your network configuration, you
might have to change the secure tunnel External URL port as well.
If the server computer has multiple NICs, the computer listens on all NICs by default. You can
select one NIC to listen on the configured port by specifying the IP address that is bound to that
NIC.
During installation, VMware Horizon configures the Windows firewall to open the required default
ports. If you change a port number or the NIC on which it listens, you must manually reconfigure
your Windows firewall to open the updated ports so that client devices can connect to the
server.
VMware, Inc. 100

If you change the SSL port number and you need HTTP redirection to continue working, you
must also change the port number for HTTP redirection. See Change the Port Number for HTTP
Redirection to Connection Server.
Prerequisites
Verify that the port that is specified in the External URL for this Connection Server instance will
continue to be valid after you change ports in this procedure.
Procedure

\locked.properties
The properties in the locked.properties file are case sensitive.
2 Add the serverPort or serverPortNonSsl property, or both properties, to the

locked.properties file.
For example:
serverPort=4443
serverPortNonSsl=8080
3 (Optional) If the server computer has multiple NICs, select one NIC to listen on the configured
ports.
Add the serverHost and serverHostNonSsl properties to specify the IP address that is bound
to the designated NIC.
For example:
serverHost=10.20.30.40
serverHostNonSsl=10.20.30.40
Typically, both the SSL and non-SSL listeners are configured to use the same NIC. However, if
you use the serverProtocol=http property to off-load SSL for client connections, you can
set the serverHost property to a separate NIC to provide SSL connections to systems that
are used to launch Horizon Console.
If you configure SSL and non-SSL connections to use the same NIC, the SSL and non-SSL
ports must not be the same.
What to do next
If necessary, manually configure your Windows firewall to open the updated ports.
VMware, Inc. 101

Replace the Default Ports or NICs for the PCoIP Secure Gateway on
Horizon Connection Server Instances
You can replace the default ports or NICs that are used by a PCoIP Secure Gateway service that
runs on a Connection Server instance. Your organization might require you to perform these
tasks to comply with organization policies or to avoid contention.
For client-facing TCP and UDP connections, the PCoIP Secure Gateway listens on port 4172 by
default. For UDP connections to remote desktops, the PCoIP Secure Gateway listens on port
55000 by default.
The port that is specified in the PCoIP External URL does not change as a result of changes that
you make to ports in this procedure. Depending on your network configuration, you might have
to change the PCoIP External URL port as well.
If the computer on which the PCoIP Secure Gateway is running has multiple NICs, the computer
listens on all NICs by default. You can select one NIC to listen on the configured ports by
specifying the IP address that is bound to that NIC.
Prerequisites
Verify that the port that is specified in the PCoIP External URL on the Connection Server instance
will continue to be valid after you change ports in this procedure.
Procedure
3 Under this registry key, add one or more of the following String (REG_SZ) values with your
updated port numbers.
For example:
ExternalTCPPort "44172"
ExternalUDPPort "44172"
InternalUDPPort "55111"
4 (Optional) If the computer on which the PCoIP Secure Gateway is running has multiple NICs,
select one NIC to listen on the configured ports.
Under the same registry key, add the following String (REG_SZ) values to specify the IP
address that is bound to the designated NIC.
For example:
ExternalBindIP "10.20.30.40"
InternalBindIP "172.16.17.18"
If you configure external and internal connections to use the same NIC, the external and
internal UDP ports must not be the same.
VMware, Inc. 102

service.
Replace the Default Control Port for PCoIP Secure Gateway on

Connection Server Instances
You can replace the default port that controls the PCoIP Secure Gateway (PSG) service that runs
on a Connection Server instance. You might need to perform this task to avoid port contention.
The PCoIP Secure Gateway listens for control connections on the local TCP port 50060 by
default.
Procedure
Connection Server computer where the PCoIP Secure Gateway is running.

\locked.properties
2 Add the psgControlPort property to the locked.properties file.
For example:
psgControlPort=52060
3 Start the Windows Registry Editor on the same machine.
5 Under this registry key, add the following String (REG_SZ) value with your updated port
number.
For example:
TCPControlPort "52060"
Note The port number for TCPControl Port is the same as the port number for
psgControlPort.
Change the Port Number for HTTP Redirection to Connection Server

If you replace the default port 443 on a Connection Server, and you want to allow HTTP
redirection for Horizon Clients that attempt to connect to port 80, you must configure the
locked.properties file on the Connection Server.
Note This procedure has no effect if you off-load SSL to an intermediate device. With SSL off-
loading in place, the HTTP port on the Connection Server provides service to clients.
VMware, Inc. 103

Prerequisites
Verify that you changed the default port number from 443. If you use the default values that are
configured during installation, you do not have to perform this procedure to preserve the HTTP
redirection rule.
Procedure

\locked.properties
2 Add the following lines to the locked.properties file:
frontMappingHttpDisabled.1=5:*:moved:https::port
frontMappingHttpDisabled.2=3:/error/*:file:docroot
frontMappingHttpDisabled.3=1:/admin*:missing
frontMappingHttpDisabled.4=1:/view-vlsi*:missing
In the preceding lines, the variable port is the port number to which the client should connect.
If you do not add the preceding lines, the port remains 443.
Prevent HTTP Redirection for Client Connections to Connection

Server
Attempts by Horizon Clients to connect to Connection Servers over HTTP are silently redirected
to HTTPS. In some deployments, you might want to prevent users from entering http:// in their
Web browsers and force them to use HTTPS. To prevent HTTP redirection for Horizon Clients,
you must configure the locked.properties file on the Connection Server.
Note This procedure has no effect if you off-load SSL to an intermediate device. With SSL off-
loading in place, the HTTP port on the Connection Server provides service to clients.
Procedure

\locked.properties
VMware, Inc. 104

2 Add the following lines to the locked.properties file:
frontMappingHttpDisabled.1=5:*:missing
frontMappingHttpDisabled.2=3:/error/*:file:docroot
Enable Remote Access to VMware Horizon Performance Counters on

Connection Servers
VMware Horizon performance counters are available locally on a Connection Server but return 0
when accessed from another computer. To enable remote access to VMware Horizon
performance counters on Connection Servers, you must configure Connection Server's
framework port in the registry.
Procedure
1 Start the Windows Registry Editor.
2 Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\Node Manager

registry key.
3 Add a new String (REG_SZ) value, Management Port.
4 Set the Management Port value to 32111.
Sizing Windows Server Settings to Support Your

Deployment
To support a large deployment of remote desktops, you can configure the Windows Server
computers on which you install Connection Server. On each computer, you can size the Windows
page-file.
On Windows Server 2012 R2 and later computers, the ephemeral ports, TCB hash table, and Java
Virtual Machine settings are sized by default. These adjustments ensure that the computers have
adequate resources to run correctly with the expected user load.
Sizing Memory for Horizon Connection Server

On a Connection Server computer, 10GB of memory is required for deployments of 50 or more
remote desktops. A Windows Server computer with at least 10GB of memory is automatically
configured to support approximately 2,000 concurrent tunnel sessions, the maximum number
that Connection Server can support.
Configure less than 10GB of memory for small, proof-of-concept deployments only. With the
required minimum of 4GB of memory, a configuration can support approximately 500 concurrent
tunnel sessions, which is more than adequate to support small, proof-of-concept deployments.
VMware, Inc. 105

However, because your deployment might grow larger as more users are added to the
environment, VMware recommends that you always configure at least 10GB of memory. Make an
exception only when you know that the environment will not grow, and memory is not available.
If you install Connection Server with less than 10GB of memory, VMware Horizon provides
memory recommendations by generating warning messages after the installation is complete. An
event triggered every 12 hours states that the Connection Server instance is configured with a
small amount of physical memory.
If you increase a computer's memory to 10GB to support a larger deployment, restart Connection
Server to ensure that the JVM heap size is automatically increased to the recommended value.
You do not have to reinstall Connection Server.
Important Do not change the JVM heap size on 64-bit Windows Server computers. Changing
this value might make Connection Server behavior unstable. On 64-bit computers, the
Connection Server service sets the JVM heap size to accord with the physical memory.
For additional hardware and memory requirements for Connection Server, see Hardware
Requirements for Horizon Connection Server.
For hardware and memory recommendations for using Connection Server in a large deployment,
see "Connection Server Maximums and Virtual Machine Configuration" in the Horizon Architecture
Planning document.
Configure the System Page-File Settings

You can optimize the virtual memory on the Windows Server computers on which your
Connection Server instances are installed by changing the system page-file settings.
When Windows Server is installed, Windows calculates an initial and maximum page-file size
based on the physical memory installed on the computer. These default settings remain fixed
even after you restart the computer.
If the Windows Server computer is a virtual machine, you can change the memory size through
vCenter Server. However, if Windows uses the default setting, the system page-file size does not
adjust to the new memory size.
Procedure
1 On the Windows Server computer on which Connection Server is installed, navigate to the
Virtual Memory dialog box.
By default, Custom size is selected. An initial and maximum page-file size appear.
2 Click System managed size.
Results
Windows continually recalculates the system page-file size based on current memory use and
available memory.
VMware, Inc. 106

Deploying VMware Horizon on
VMware Cloud on AWS 7
VMware Cloud on AWS is a VMware SDDC infrastructure-as-a-service on AWS where you can
deploy VMware Horizon desktops and applications.
For more information about deploying VMware Horizon on VMware Cloud on AWS, see the
"Horizon on VMware Cloud on AWS Deployment Guide" at https://www.vmware.com/
content/dam/digitalmarketing/vmware/en/pdf/products/vmw-deploy-horizon-seven-on-vmware-
cloud-on-aws.pdf.
For a list of VMware Horizon features supported on VMware Cloud on AWS, see the VMware
Knowledge Base article https://kb.vmware.com/s/article/58539.
For more information about VMware Cloud on AWS, see the VMware Cloud on AWS
documentation at https://docs.vmware.com/en/VMware-Cloud-on-AWS/index.html.
For more information about the impact of SDDC upgrade on a VMware Horizon deployment on
VMware Cloud on AWS, see the VMware Knowledge Base article https://kb.vmware.com/s/
article/74599.
For more information about updating the vSAN Storage Policy FTT Level on a VMware Horizon
deployment on VMware Cloud on AWS, see the VMware Knowledge Base article https://
For more information on connecting your VMware Horizon on VMware Cloud on AWS
deployment with the Horizon Control Plane and getting a subscription license, see "Enabling
VMware Horizon for Subscription Licenses and Horizon Control Plane Services" in the Horizon
VMware, Inc. 107

Azure VMware Solution 8
Azure VMware Solution (AVS) is a VMware SDDC infrastructure-as-a-service on Microsoft Azure
where you can deploy VMware Horizon desktops and applications. Check with your Microsoft
representative on the availability of AVS.
You can select Azure as an available deployment type when you install Connection Server. You
can also provide Azure as a deployment type during a silent installation of Connection Server.
You can create instant-clone and full-clone desktop pools on AVS.
VMware, Inc. 108

VMware Cloud on Dell EMC 9
Deploying VMware Horizon on VMware Cloud on Dell EMC provides a platform to host Horizon
desktops in an on-premises managed infrastructure.
For more information about deploying VMware Horizon on VMware Cloud on Dell EMC, see the
VMware Cloud on Dell EMC Horizon Integration guide available at https://docs.vmware.com/en/
VMware-Cloud-on-Dell-EMC/index.html.
VMware, Inc. 109

Configuring Event Reporting in
Horizon Console 10
You can create an event database to record information about VMware Horizonevents. In
addition, if you use a Syslog server, you can configure Connection Server to send events to a
Syslog server or create a flat file of events written in Syslog format.
n Add a Database and Database User for VMware Horizon Events in Horizon Console
n Prepare an SQL Server Database for Event Reporting in Horizon Console
n Prepare a PostgreSQL Database for Event Reporting in Horizon Console
n Configure the Event Database in Horizon Console
n Configure Event Logging to File or Syslog Server in Horizon Console
Add a Database and Database User for VMware Horizon

Events in Horizon Console
You create an event database by adding it to an existing database server. You can then use
reporting software to analyze the events in the database.
Deploy the database server for the event database on a dedicated server, so that event logging
activity does not affect provisioning and other activities that are critical for VMware Horizon
deployments.
Note You do not need to create an ODBC data source for this database.
Prerequisites
n Verify that you have a supported Microsoft SQL Server, Oracle, or PostgreSQL database
server on a system that a Connection Server instance has access to.
For the most up-to-date information about supported databases, see the VMware Product
Interoperability Matrixes at http://www.vmware.com/resources/compatibility/sim/
interop_matrix.php. For Solution/Database Interoperability, after you select the product and
version, for the Add Database step, to see a list of all supported databases, select Any and
click Add.
VMware, Inc. 110

n Verify that you have the required database privileges to create a database and user on the
database server.
Procedure
1 Add a database to the server and give it a descriptive name such as HorizonEvents.
For an Oracle 12c or Oracle 11g database, also provide an Oracle System Identifier (SID),
which you use when you configure the event database in Horizon Console.
2 Add a user for this database that has permission to create tables, views, and, Oracle triggers
and sequences, and permission to read from and write to these objects.
For a Microsoft SQL Server database, VMware Horizon does not support the Integrated
Windows Authentication security model method of authentication. Use the SQL Server
Authentication method of authentication, which is the only supported method.
Results
The database is created, but the schema is not installed until you configure the database in
Horizon Console.
What to do next
Follow the instructions in Configure the Event Database in Horizon Console.
Prepare an SQL Server Database for Event Reporting in

Horizon Console
Before you can use Horizon Console to configure an event database on Microsoft SQL Server,
you must configure the correct TCP/IP properties and verify that the server uses SQL Server
Authentication.
Prerequisites
n Create an SQL Server database for event reporting. See Add a Database and Database User
for VMware Horizon Events in Horizon Console.
n Verify that you have the required database privileges to configure the database.
n Verify that the database server uses the SQL Server Authentication method of authentication.
Do not use Windows Authentication.
Procedure
1 Open SQL Server Configuration Manager and expand SQL Server YYYY Network
Configuration.
2 Select Protocols for server_name.
3 In the list of protocols, right-click TCP/IP and select Properties.
4 Set the Enabled property to Yes.
VMware, Inc. 111

5 Verify that a port is assigned or, if necessary, assign one.
For information on the static and dynamic ports and how to assign them, see the online help
for the SQL Server Configuration manager.
6 Verify that this port is not blocked by a firewall.
What to do next
Use Horizon Console to connect the database to Connection Server. Follow the instructions in
Configure the Event Database in Horizon Console.
Prepare a PostgreSQL Database for Event Reporting in

Horizon Console
Before you can use Horizon Console to configure an event database on PostgreSQL, you must
edit a configuration file so that the Connection Server can communicate with the PostgreSQL
database.
Prerequisites
n Create a PostgreSQL database for event reporting. See Add a Database and Database User
for VMware Horizon Events in Horizon Console.
n Verify that you have the required database privileges to configure the database.
Procedure
1 In the directory where PostgreSQL is installed, open the data/pg_hba file for editing.
2 Add the following row to the table under IPv4 local connections (replace <IP address of
Connection Server> with the actual IP address of the Connection Server):
TYPE DATABASE USER ADDRESS METHOD
host all all <IP address of md5

Connection Server>
3 Save the file.
What to do next
Use Horizon Console to connect the database to Connection Server. Follow the instructions in
Configure the Event Database in Horizon Console.
Configure the Event Database in Horizon Console

The event database stores information about VMware Horizon events as records in a database
rather than in a log file.
VMware, Inc. 112

You configure an event database after installing a Connection Server instance. You need to
configure only one host in a Connection Server group. The remaining hosts in the group are
configured automatically.
Note The security of the database connection between the Connection Server instance and an
external database is the responsibility of the administrator, although event traffic is limited to
information about the health of the VMware Horizon environment.
n If you want to take extra precautions, you can secure this channel through IPSec or other
means, or you can deploy the database locally on the Connection Server computer.
n By default Connection Server connects to the event database in non-SSL mode. For
information about enabling SSL connection, see SSL Connection to Event Database.
You can use Microsoft SQL Server, Oracle, or PostgreSQL database reporting tools to examine
events in the database tables. For more information, see the Horizon Administration document.
You can also generate VMware Horizon events in Syslog format so that the event data can be
accessible to third-party analytics software. You use the vdmadmin command with the -I option
to record VMware Horizon event messages in Syslog format in event log files. See "Generating
VMware Horizon Event Log Messages in Syslog Format Using the -I Option" in the Horizon
Prerequisites
You need the following information to configure an event database:
n The DNS name or IP address of the database server.
n The type of database server: Microsoft SQL Server, Oracle, or PostgreSQL.
n The port number that is used to access the database server. The default is 1521 for Oracle
and 1433 for SQL Server. For SQL Server, if the database server is a named instance or if you
use SQL Server Express, you might need to determine the port number. See the Microsoft KB
article about connecting to a named instance of SQL Server, at http://
support.microsoft.com/kb/265808.
n The name of the event database that you created on the database server. See Add a
Database and Database User for VMware Horizon Events in Horizon Console.
For an Oracle 12c or 11g database, you must use the Oracle System Identifier (SID) as the
database name when you configure the event database in Horizon Console.
n The username and password of the user you created for this database. See Add a Database
and Database User for VMware Horizon Events in Horizon Console.
For SQL Server, use SQL Server Authentication for this user. Do not use the Integrated
Windows Authentication security model method of authentication.
VMware, Inc. 113

n A prefix for the tables in the event database, for example, VE_. The prefix enables the
database to be shared among VMware Horizon installations.
Note You must enter characters that are valid for the database software you are using. The
syntax of the prefix is not checked when you complete the dialog box. If you enter characters
that are not valid for the database software you are using, an error occurs when Connection
Server attempts to connect to the database server. The log file indicates all errors, including
this error and any others returned from the database server if the database name is invalid.
Procedure
1 In Horizon Console, select Settings > Event Configuration.
2 In the Event Database section, click Edit, enter the information in the fields provided, and
click OK.
To clear the event database information, click Clear.
3 (Optional) In the Event Settings window, click Edit, change the length of time to show events
and the number of days to classify events as new, and click OK.
These settings pertain to the length of time the events are listed in the Horizon Console
interface. After this time, the events are only available in the historical database tables.
Note Timing profiler data is removed from all database tables, so it is not available in
historical tables.
Commands for activating and deactivating the timing profiler are as follows.
n To activate the timing profiler on a Connection Server instance that does not use a
management port:
vdmadmin -I -timingProfiler -enable
n To activate the timing profiler on a Connection Server instance that uses a management
port:
vdmadmin -I -timingProfiler -enable -server {ip/server}
n To deactivate the timing profiler on a Connection Server instance:
vdmadmin -I -timingProfiler -disable
4 Select Monitoring > Events to verify that the connection to the event database is successful.
If the connection is unsuccessful, an error message appears. If you are using SQL Express or
if you are using a named instance of SQL Server, you might need to determine the correct
port number, as mentioned in the prerequisites.
VMware, Inc. 114

SSL Connection to Event Database

By default Connection Server connects to the event database in non-SSL mode. You can switch
between non-SSL and SSL modes using the steps below.
Switch to SSL Connection Mode

1 Confirm that the database can accept SSL connections.
2 Confirm that the database certificate is trusted by the Windows machine containing the
connection server. If it is not, you can remedy this by importing the database certificate to
the machine and adding it to the Windows trust store.
3 Under Local Ldap > OU=Properties > OU=Global > CN=Common, set the pae-enableDbSSL flag
to 1.
4 Restart the connection server.
All database connections are now created using SSL. If the database does not support SSL or the
database certificates are not trusted by the Windows machine containing the connection server,
the database connections will fail.
Switch Back to Non-SSL Connection Mode

1 Under Local Ldap > OU=Properties > OU=Global > CN=Common, set the pae-enableDbSSL flag
to 0.
2 Restart the connection server.
Configure Event Logging to File or Syslog Server in Horizon

Console
You can generate VMware Horizon events in Syslog format so that the event data can be
accessible to analytics software.
You need to configure only one host in a Connection Server group. The remaining hosts in the
group are configured automatically.
If you enable file-based logging of events, events are accumulated in a local log file. If you specify
a file share, these log files are moved to that share.
n The maximum size of the local directory for event logs, including closed log files, before the
oldest files are deleted, is 300MB. The default destination of the Syslog output is
%PROGRAMDATA%\VMware\VDM\events\.
n Use a UNC path to save log files for a long-term record of events, or if you do not have a
Syslog server or event database, or if your current Syslog server does not meet your needs.
VMware, Inc. 115

You can alternatively use a vdmadmin command to configure file-based logging of events in
Syslog format. See the topic about generating VMware Horizon event log messages in Syslog
format using the -I option of the vdmadmin command, in the Horizon Administration document.
Important When sending to a Syslog server, Syslog data is sent across the network without
software-based encryption, and might contain sensitive data, such as user names. VMware
recommends using link-layer security, such as IPSEC, to avoid the possibility of this data being
monitored on the network.
Prerequisites
You need the following information to configure Connection Server so that events can be
recorded in Syslog format or sent to a Syslog server, or both:
n If you plan to use a Syslog server to listen for the VMware Horizon events on a UDP port, you
must have the DNS name or IP address of the Syslog server and the UDP port number. The
default UDP port number is 514.
n If you plan to collect logs in a flat-file format, you must have the UNC path to the file share
and folder in which to store the log files, and you must have the user name, domain name,
and password of an account that has permission to write to the file share.
Procedure
1 In Horizon Console, select Settings > Event Configuration.
2 (Optional) In the Syslog area, to configure Connection Server to send events to a Syslog
server, click Add below Send to syslog servers, and supply the server name or IP address
and the UDP port number.
3 (Optional) In the Events to File System area, choose whether or not to enable event log
messages to be generated and stored in Syslog format in log files.
Option Description
Always Always generate and store event log messages in Syslog format in log files.
Log to file on error (default) Log audit events to a log file when there is a problem writing events to the
event database or the Syslog server. This option is enabled by default.
Never Never generate and store event log messages in Syslog format in log files.
The log files are retained locally unless you specify a UNC path to a file share.
4 (Optional) To store the VMware Horizon event log messages on a file share, click Add below
Copy to location, and supply the UNC path to the file share and folder in which to store the
log files, along with the user name, domain name, and password of an account that has
permission to write to the file share.
An example of a UNC path is:
\\syslog-server\folder\file
VMware, Inc. 116

Installing VMware Horizon in an
IPv6 Environment 11
VMware Horizon supports IPv6 as an alternative to IPv4. The environment must be either IPv6
only or IPv4 only. VMware Horizon does not support a mixed IPv6 and IPv4 environment.
Not all VMware Horizon features that are supported in an IPv4 environment are supported in an
IPv6 environment. VMware Horizon does not support upgrading from an IPv4 environment to an
IPv6 environment. Also, VMware Horizon does not support migration between IPv4 and IPv6
environments.
Important To run VMware Horizon in an IPv6 environment, you must specify IPv6 when you
install all VMware Horizon components.
n Setting Up VMware Horizon in an IPv6 Environment
n Supported vSphere, Database, and Active Directory Versions in an IPv6 Environment
n Supported Operating Systems for VMware Horizon Servers in an IPv6 Environment
n Supported Windows Operating Systems for Desktops and RDS Hosts in an IPv6 Environment
n Supported Clients in an IPv6 Environment
n Supported Remoting Protocols in an IPv6 Environment
n Supported Authentication Types in an IPv6 Environment
n Other Supported Features in an IPv6 Environment
Setting Up VMware Horizon in an IPv6 Environment

To run VMware Horizon in an IPv6 environment, you must be aware of the requirements and
choices that are specific to IPv6 when you perform certain administrative tasks.
Before you install VMware Horizon, you must have a working IPv6 environment. The following
VMware Horizon administrative tasks have options that are specific to IPv6.
n Installing Horizon Connection Server. See Install Horizon Connection Server with a New
Configuration.
VMware, Inc. 117

n Installing View Replica Server. See Install a Replicated Instance of Horizon Connection Server.
n Configuring the PCoIP External URL. See Configure the Secure Tunnel and PCoIP Secure
Gateway.
n Setting the PCoIP External URL. See Set the External URLs for Horizon Connection Server
Instances.
n Modifying the PCoIP External URL. See Set the External URLs for Horizon Connection Server
Instances.
n Installing Horizon Agent. See the Horizon Agent installation topics in the Setting Up Published
Desktops and Applications in Horizon and Setting Up Virtual Desktops in Horizon documents.
n Installing Horizon Client. See Supported Clients in an IPv6 Environment.
Note VMware Horizon does not require you to enter an IPv6 address in any administrative tasks.
In cases where you can specify either a fully qualified domain name (FQDN) or an IPv6 address, it
is highly recommended that you specify an FQDN to avoid potential errors.
Supported vSphere, Database, and Active Directory

Versions in an IPv6 Environment
In an IPv6 environment, VMware Horizon supports specific vSphere, database server, and Active
Directory versions.
For the most up-to-date information about supported databases, vSphere versions, and Active
Directory versions in an IPv6 environment, see the VMware Product Interoperability Matrixes at
http://www.vmware.com/resources/compatibility/sim/interop_matrix.php.
Supported Operating Systems for VMware Horizon Servers

in an IPv6 Environment
You must install VMware Horizon servers on specific Windows Server operating systems.
For a list of supported versions, see the VMware Knowledge Base (KB) article https://
Supported Windows Operating Systems for Desktops and

RDS Hosts in an IPv6 Environment
VMware Horizon supports specific Windows operating systems for desktop machines and RDS
hosts. RDS hosts provide session-based desktops and applications to users.
The types and editions of the supported guest operating system depend on the Windows
version.
For a list of Windows 10 guest operating systems, see the VMware Knowledge Base (KB) article
https://kb.vmware.com/s/article/78714.
VMware, Inc. 118

For Windows operating systems, other than Windows 10, see the VMware Knowledge Base (KB)
article https://kb.vmware.com/s/article/78715.
Supported Clients in an IPv6 Environment

In an IPv6 environment, VMware Horizon supports clients that run on specific desktop operating
systems.
Windows 10 32-bit or 64-bit Home, Pro, Pro for Workstations, Enterprise, and IoT Enterprise.
On iOS devices, Horizon Client for iOS 4.1 or later is required.
On macOS devices, Horizon Client for Mac 4.9 or later is required.
On Android devices, Horizon Client for Android 4.9 or later is required.
On Chromebook devices, Horizon Client for Android 5.1 or later is required.
On Linux devices, Horizon Client for Linux 2006 or later is required.
The following clients are not supported.
n Horizon Client for Chrome
n Horizon Client for Windows 10 UWP
n PCoIP Zero Client
Supported Remoting Protocols in an IPv6 Environment

In an IPv6 environment, VMware Horizon supports specific remoting protocols.
The following remoting protocols are supported:
n RDP
n RDP with Secure Tunnel
n PCoIP
n PCoIP through PCoIP Secure Gateway
n VMware Blast
n VMware Blast through Blast Secure Gateway
n Blast Extreme Adaptive Transport (BEAT)
Supported Authentication Types in an IPv6 Environment

In an IPv6 environment, VMware Horizon supports specific authentication types.
The following authentication types are supported:
n Password authentication using Active Directory
n Smart Card
VMware, Inc. 119

n Single Sign-On
The following authentication types are not supported:
n SecurID
n RADIUS
n SAML
Other Supported Features in an IPv6 Environment

In an IPv6 environment, Horizon supports certain features that are not covered in previous topics.
The following features are supported:
n Application pools
n Applications that run on a desktop pool
n Audio-out
n Automated desktop pools of full virtual machines and instant clones
n Blast Extreme Adaptive Transport (BEAT)
n Browser Redirection
n Client Drive Redirection/File transfer
n Clipboard
n Customer Experience Improvement Program (CEIP)
n Disk space reclamation
n DPI sync
n Drag and Drop
n Events
n File association
n Geolocation Redirection
n Horizon Performance Tracker
n HTML5 Multimedia Redirection
n Instant-clone desktop pools
n LDAP backup
n Local IME
n Location-Based Printing (LBP)
n Manual desktop pools, including vCenter Server virtual machines, physical computers, and
virtual machines not managed by vCenter Server
VMware, Inc. 120

n Native NFS snapshots (VAAI)
n Real-Time Audio-Video (RTAV)
n Published desktop pools
n RDS Host 3D
n Role-based administration
n RTAV
n Scanner redirection
n SDO Sensor Redirection
n Seamless Windows
n Serial port redirection
n Session Collaboration
n Single Sign-on, including the Log in as current user feature
n Smart Card Redirection
n System health dashboard
n TSMMR and DShowMMR
n Unity touch
n USB redirection
n View Storage Accelerator
n VMware audio
n VMware Integrated Printing
n VMware video
n VMware Virtualization Pack for Skype for Business (Windows only)
n vSAN
n HTML Access
The following features are not supported:
n Cloud Pod Architecture
n Log Insight
n Microsoft Lync
n Microsoft Teams
n PCoIP with published instant-clone desktop pools
n Syslog
n Teradici TERA host card
VMware, Inc. 121

n Virtual Volumes
n Horizon Cloud Connector
n Untrusted domains
n URL redirection
VMware, Inc. 122

Installing VMware Horizon in FIPS
Mode 12
VMware Horizon can perform cryptographic operations using FIPS (Federal Information
Processing Standard) 140-2 compliant algorithms. You can enable the use of these algorithms by
installing VMware Horizon in FIPS mode.
VMware Horizon does not support upgrading from a non-FIPS installation to a FIPS installation.
Note To ensure that VMware Horizon runs in FIPS mode, you must enable FIPS when you install
all VMware Horizon components.
n Overview of Setting Up VMware Horizon in FIPS Mode
n System Requirements for FIPS Mode
Overview of Setting Up VMware Horizon in FIPS Mode

To set up VMware Horizon in FIPS mode, you must first enable FIPS mode in the Windows
environment. Then you install all the VMware Horizon components in FIPS mode.
The option to install VMware Horizon in FIPS mode is available only if FIPS mode is enabled in the
Windows environment. For more information about enabling FIPS mode in Windows, see https://
support.microsoft.com/en-us/kb/811833.
Note Horizon Console does not indicate whether VMware Horizon is running in FIPS mode.
To install VMware Horizon in FIPS mode, perform the following administrative tasks.
n When installing Connection Server, select the FIPS mode option. See Install Horizon
Connection Server with a New Configuration.
n When installing a replica server, select the FIPS mode option. See Install a Replicated Instance
of Horizon Connection Server.
n Disable weak ciphers for Horizon Agent machines. See Disable Weak Ciphers in SSL/TLS.
VMware, Inc. 123

n When installing Horizon Agent, select the FIPS mode option. See the Horizon Agent
installation topics in the Setting Up Virtual Desktops in Horizon or Setting Up Published
Desktops and Applications in Horizon document.
n For Windows clients, enable FIPS mode in the client operating system and select the FIPS
mode option when installing Horizon Client for Windows. See the VMware Horizon Client for
Windows Installation and Setup Guide document.
n For Linux clients, enable FIPS mode in the client operating system. See the VMware Horizon
Client for Linux Installation and Setup Guide document.
System Requirements for FIPS Mode

To support FIPS mode, your VMware Horizon deployment must meet the following requirements.
vSphere
n vCenter Server 6.5 or later
n ESXi 6.5 or later
Remote desktop
n Any Windows platform that has a FIPS certificate. For information, see "FIPS 140
Validation" on the Microsoft TechNet website.
n Horizon Agent for Windows platforms only
Horizon Client
n Any Windows platform that has a FIPS certificate. For information, see "FIPS 140
Validation" on the Microsoft TechNet website.
n Horizon Client for Windows
Cryptographic protocol
n TLSv1.2
VMware, Inc. 124

Horizon Installation - VMware Horizon 2106

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Horizon Installation - VMware Horizon 2106

Uploaded by

Copyright:

Available Formats

VMware Horizon 2106

1 System Requirements for Server Components 8

2 System Requirements for Guest Operating Systems 11

3 Preparing Active Directory 13

4 Installing Horizon Connection Server 23

Install a Replicated Instance of Horizon Connection Server Silently 36

5 Configuring TLS Certificates for VMware Horizon Servers 49

6 Configuring VMware Horizon for the First Time 73

Horizon Console and Horizon Connection Server 78

7 Deploying VMware Horizon on VMware Cloud on AWS 107

8 Deploying VMware Horizon on Azure VMware Solution 108

9 Deploying VMware Horizon on VMware Cloud on Dell EMC 109

10 Configuring Event Reporting in Horizon Console 110

11 Installing VMware Horizon in an IPv6 Environment 117

12 Installing VMware Horizon in FIPS Mode 123

This chapter includes the following topics:

n Horizon Connection Server Requirements

n Horizon Console Requirements

Horizon Connection Server Requirements

n Hardware Requirements for Horizon Connection Server

n Supported Operating Systems for Horizon Connection Server

n Virtualization Software Requirements for Horizon Connection Server

n Network Requirements for Replicated Horizon Connection Server Instances

Hardware Requirements for Horizon Connection Server

Table 1-1. Horizon Connection Server Hardware Requirements

Hardware Component Required Recommended

Processor Pentium IV 2.0GHz processor or 4 CPUs

Network Adapter 100Mbps NIC 1Gbps NICs

Memory 4GB RAM or higher At least 10GB RAM for deployments of 50 or

Supported Operating Systems for Horizon Connection Server

Virtualization Software Requirements for Horizon Connection Server

Network Requirements for Replicated Horizon Connection Server

Horizon Console Requirements

n Firefox (latest versions)

n Chrome (latest versions)

n Safari (latest versions)

n Microsoft Edge (Windows 10)

This chapter includes the following topics:

n Requirements and Considerations for Horizon Agent

n Remote Display Protocol and Software Support

Requirements and Considerations for Horizon Agent

Remote Display Protocol and Software Support

This chapter includes the following topics:

n Configuring Domains and Trust Relationships

n Creating an OU for Remote Desktops

n Creating OUs and Groups for Kiosk Mode Client Accounts

n Creating Groups for Users

n Creating a User Account for vCenter Server

n Create a User Account for Instant-Clone Operations

n Configure the Restricted Groups Policy

n Using VMware Horizon Group Policy Administrative Template Files

n Prepare Active Directory for Smart Card Authentication

n Disable Weak Ciphers in SSL/TLS

Configuring Domains and Trust Relationships

n The Connection Server domain

You can provide secondary credentials by using the vdmadmin -T command.

n You configure secondary credentials for individual administrator users.

Unauthenticated access is not supported in a one-way trust environment when authenticating a

The following features are not supported in an untrusted domain:

n Logon as current user

n Unauthenticated access users

n Adding an administrator user for an untrusted domain

n Identify an AD User That Does Not Have an AD UPN